aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Ryder <tom@sanctum.geek.nz>2020-09-13 01:19:27 +1200
committerTom Ryder <tom@sanctum.geek.nz>2020-09-13 01:19:27 +1200
commit95719938f1e8e62577d4c5631607ac075b78b6d9 (patch)
tree50a8f566a0e45846c1d91b340f828c24ca1e1180
parentMerge branch 'release/v10.7.0' into develop (diff)
downloaddotfiles-95719938f1e8e62577d4c5631607ac075b78b6d9.tar.gz
dotfiles-95719938f1e8e62577d4c5631607ac075b78b6d9.zip
Remove hardening from systemd units
I suspect most-to-all of this doesn't actually work, and probably shouldn't deploy it unless and until I am.
-rw-r--r--newsboat/systemd/user/reload-newsboat.service20
-rw-r--r--systemd/user/notify-email@.service11
2 files changed, 0 insertions, 31 deletions
diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service
index 981ef7bc..2699697c 100644
--- a/newsboat/systemd/user/reload-newsboat.service
+++ b/newsboat/systemd/user/reload-newsboat.service
@@ -8,23 +8,3 @@ Type=oneshot
LogsDirectory=newsboat
LogsDirectoryMode=0700
ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=5
-# Hardening
-IPAddressDeny=any
-IPAddressAllow=localhost
-KeyringMode=private
-LockPersonality=true
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-RestrictAddressFamilies=AF_UNIX
-RestrictAddressFamilies=~AF_UNIX
-RestrictNamespaces=true
-RestrictRealtime=true
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources
-UMask=0077
-# Slowing
-Nice=10
-IOSchedulingClass=best-effort
-IOSchedulingPriority=7
diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service
index bddee12a..9293c423 100644
--- a/systemd/user/notify-email@.service
+++ b/systemd/user/notify-email@.service
@@ -4,14 +4,3 @@ Description=unit status mailer service for %i
[Service]
Type=oneshot
ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u'
-# Hardening
-DevicePolicy=closed
-IPAddressDeny=any
-PrivateMounts=true
-PrivateTmp=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectSystem=full
-RemoveIPC=true
-SystemCallErrorNumber=EPERM
-UMask=027