From 182aefdd27d680a9bfd999dfa45304a42f77b1f2 Mon Sep 17 00:00:00 2001
From: James Bunton <jamesbunton@delx.net.au>
Date: Sun, 11 Aug 2019 09:07:05 +1000
Subject: [PATCH 1/1] systemd hardening

---
 .../system/my-overrides/10-security.conf      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 etc/systemd/system/my-overrides/10-security.conf

diff --git a/etc/systemd/system/my-overrides/10-security.conf b/etc/systemd/system/my-overrides/10-security.conf
new file mode 100644
index 0000000..c8fe6e2
--- /dev/null
+++ b/etc/systemd/system/my-overrides/10-security.conf
@@ -0,0 +1,27 @@
+[Service]
+# Never accessible to any services
+InaccessiblePaths=/mnt
+
+# By default inaccessible, may be overriden with BindPaths/BindReadOnlyPaths
+TemporaryFileSystem=/home:ro
+
+NoNewPrivileges=yes
+
+MountFlags=private
+ProtectSystem=strict
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+RestrictSUIDSGID=yes
+
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
-- 
2.39.2