On Wed, 14.12.16 10:55, Richard Hughes (hughsi...@gmail.com) wrote: > On 14 December 2016 at 09:32, Reindl Harald <h.rei...@thelounge.net> wrote: > > RestrictAddressFamilies=AF_NETLINK > > Great, that was the pointer I needed, thanks. I'm currently setting > this in the service file: > > NoNewPrivileges=yes > PrivateTmp=yes > PrivateUsers=yes > ProtectControlGroups=yes > ProtectHome=yes > ProtectKernelModules=yes > RestrictAddressFamilies=AF_NETLINK AF_UNIX > > Are there other important settings I've missed? fwupd does access the > hardware and write the odd file to the filesystem so there didn't seem > any other super useful flags. Thanks.
Well, depends on the systemd version you are running. I'd also set if you can: RestrictRealtime=yes MemoryDenyWriteExecute=yes RestrictNamespaces=yes SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources ProtectKernelTunables=yes ProtectSystem=full PrivateDevices=yes CapabilityBoundingSet=... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel