diff options
author | Tom Ryder <tom@sanctum.geek.nz> | 2020-06-24 00:59:04 +1200 |
---|---|---|
committer | Tom Ryder <tom@sanctum.geek.nz> | 2020-06-24 01:00:44 +1200 |
commit | ac9568c48b353e23706c9f2d8e09d9a9d091f866 (patch) | |
tree | 09156f5777658ada254ca79017f8dde26337b50e /newsboat/systemd/user | |
parent | Add reload logs for Newsboat (diff) | |
download | dotfiles-ac9568c48b353e23706c9f2d8e09d9a9d091f866.tar.gz dotfiles-ac9568c48b353e23706c9f2d8e09d9a9d091f866.zip |
Add hardening to Newsboat
Diffstat (limited to 'newsboat/systemd/user')
-rw-r--r-- | newsboat/systemd/user/reload-newsboat.service | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service index c1e5fab9..24cda424 100644 --- a/newsboat/systemd/user/reload-newsboat.service +++ b/newsboat/systemd/user/reload-newsboat.service @@ -8,3 +8,21 @@ Type=oneshot LogsDirectory=newsboat LogsDirectoryMode=0700 ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=6 +# Hardening +KeyringMode=private +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +RestrictAddressFamilies=AF_UNIX +RestrictAddressFamilies=~AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0077 +# Slowing +Nice=10 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 |