git » dnss » commit f61e481

etc: Tighten systemd security settings

author Alberto Bertogli
2023-01-30 12:23:56 UTC
committer Alberto Bertogli
2023-01-30 12:23:56 UTC
parent 2537ad557ed590ca707e4d65ee6e4204cb193463
etc: Tighten systemd security settings

This patch updates the default systemd config file, adding more
security-related settings to reduce unnecessary exposure, just in case.
etc/systemd/dns-to-https/dnss.service +15 -6 
diff --git a/etc/systemd/dns-to-https/dnss.service b/etc/systemd/dns-to-https/dnss.service
index 154ba5f..05a3afd 100644
--- a/etc/systemd/dns-to-https/dnss.service
+++ b/etc/systemd/dns-to-https/dnss.service
@@ -14,15 +14,24 @@ ExecStart=/usr/local/bin/dnss \
 Type = simple
 Restart = always
 
-# The user can be created with no permissions using:
-#
-#   sudo useradd -U dnss -M -d /nonexistent -s /bin/false
+# Use a dynamic user, since dnss doesn't use any persistent storage anyway.
+DynamicUser = true
 User = dnss
 Group = dnss
 
-# Simple security measures just in case.
-CapabilityBoundingSet = CAP_NET_BIND_SERVICE
-ProtectSystem=full
+# Some security measures to reduce unnecessary exposure, just in case.
+CapabilityBoundingSet =
+ProtectSystem = strict
+PrivateUsers = true
+PrivateDevices = true
+RestrictNamespaces = true
+ProtectControlGroups = yes
+ProtectProc = invisible
+ProcSubset = pid
+SystemCallArchitectures = native
+SystemCallFilter = @system-service
+ProtectKernelModules = yes
+ProtectKernelTunables = yes
 
 
 [Install]