commit: 42bdffe7965568ff651899b35bfa6dceeb757d24
Author: Craig Andrews <candrews <AT> integralblue <DOT> com>
AuthorDate: Thu Jun 30 14:27:06 2016 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Thu Jun 30 22:40:50 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42bdffe7
net-misc/radvd: systemd hardening
Improve the systemd unit by having radvd never run as root, restricting
capabilities as much as possible, and limiting file system access.
Gentoo-bug: 587588
net-misc/radvd/files/radvd.service | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/net-misc/radvd/files/radvd.service
b/net-misc/radvd/files/radvd.service
index d9095f6..a3ac66f 100644
--- a/net-misc/radvd/files/radvd.service
+++ b/net-misc/radvd/files/radvd.service
@@ -4,12 +4,23 @@ Documentation=man:radvd(8)
After=network.target
[Service]
+User=radvd
+Group=radvd
Type=forking
-ExecStart=/usr/sbin/radvd --username radvd --logmethod stderr --debug 0
+ExecStartPre=/usr/sbin/radvd --configtest
+ExecStart=/usr/sbin/radvd --logmethod stderr --debug 0
ExecReload=/usr/sbin/radvd --configtest ; \
/bin/kill -HUP $MAINPID
CPUSchedulingPolicy=idle
PIDFile=/run/radvd/radvd.pid
+RuntimeDirectory=radvd
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
[Install]
WantedBy=multi-user.target
