1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
[Unit]
Description=Update Planet Filter feeds
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
User=planetfilter
Group=root
ExecStart=/usr/share/planetfilter/update-feeds
EnvironmentFile=-/etc/default/planetfilter
# Security hardening
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProcSubset=pid
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
# Minimal list of syscalls
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Restrict filesystem access
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectHome=true
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/etc/planetfilter.d /var/cache/planetfilter
RestrictSUIDSGID=true
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# No special capabilities needed
AmbientCapabilities=
CapabilityBoundingSet=
|
