diff options
author | Hideki Saito <hideki@hidekisaito.com> | 2015-06-22 20:56:28 +0300 |
---|---|---|
committer | Hideki Saito <hideki@hidekisaito.com> | 2015-06-22 20:59:34 +0300 |
commit | 73112980b376f78383c68a3af289216a769a6b61 (patch) | |
tree | 5e199047f037a0eb83099272a86348941321254a | |
parent | 74795cd42d7ba89d36e6e3ac67762e90b5304de3 (diff) |
Added hardening to confine its system capability to what SoftEther requires
-rw-r--r-- | systemd/softether-vpnbridge.service | 9 | ||||
-rw-r--r-- | systemd/softether-vpnclient.service | 8 | ||||
-rw-r--r-- | systemd/softether-vpnserver.service | 9 |
3 files changed, 26 insertions, 0 deletions
diff --git a/systemd/softether-vpnbridge.service b/systemd/softether-vpnbridge.service index df007747..d8b35d71 100644 --- a/systemd/softether-vpnbridge.service +++ b/systemd/softether-vpnbridge.service @@ -10,6 +10,15 @@ ExecStop=/opt/vpnbridge/vpnbridge stop KillMode=process Restart=on-failure +# Hardening +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/opt/vpnbridge +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE + + [Install] WantedBy=multi-user.target diff --git a/systemd/softether-vpnclient.service b/systemd/softether-vpnclient.service index ad1f94f6..f74b1cf8 100644 --- a/systemd/softether-vpnclient.service +++ b/systemd/softether-vpnclient.service @@ -11,6 +11,14 @@ ExecStop=/opt/vpnclient/vpnclient stop KillMode=process Restart=on-failure +# Hardening +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/opt/vpnclient +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE + [Install] WantedBy=multi-user.target diff --git a/systemd/softether-vpnserver.service b/systemd/softether-vpnserver.service index 08c302fd..553b5290 100644 --- a/systemd/softether-vpnserver.service +++ b/systemd/softether-vpnserver.service @@ -11,6 +11,15 @@ ExecStop=/opt/vpnserver/vpnserver stop KillMode=process Restart=on-failure +# Hardening +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/opt/vpnserver +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE + + [Install] WantedBy=multi-user.target |