Date: Sunday, November 6, 2022 @ 22:26:02 Author: dvzrv Revision: 460798
Harden shadow.service Apply all possible hardening options for shadow.service to sandbox the calls to pwck and grpck as good as possible. Modified: shadow/trunk/shadow.service ----------------+ shadow.service | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) Modified: shadow.service =================================================================== --- shadow.service 2022-11-06 21:10:03 UTC (rev 460797) +++ shadow.service 2022-11-06 22:26:02 UTC (rev 460798) @@ -3,9 +3,35 @@ After=systemd-sysusers.service [Service] -Type=simple +CapabilityBoundingSet= # Always run both checks, but fail the service if either fails ExecStart=/bin/sh -c '/usr/bin/pwck -r || r=1; /usr/bin/grpck -r && exit $r' Nice=19 IOSchedulingClass=best-effort IOSchedulingPriority=7 +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=none +RestrictNamespaces=yes +RestrictSUIDSGID=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources +SystemCallFilter=~@privileged +UMask=0077
