commit: 6d1bfd687106fcb4a75e0d225d77153f2b9c581d Author: Craig Andrews <candrews <AT> integralblue <DOT> com> AuthorDate: Tue Jan 24 17:39:20 2017 +0000 Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> CommitDate: Sun Jan 29 23:46:19 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d1bfd68
mail-mta/postfix: additional systemd hardening Other distributions are doing the same thing, and these additions are recommended by systemd. See https://lwn.net/Articles/709755/ (cherry picked from commit 388f5cae8b89039f285a66651bc70d662a9d8e57) Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org> Fixes: https://github.com/gentoo/gentoo/pull/3629 mail-mta/postfix/files/postfix.service | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mail-mta/postfix/files/postfix.service b/mail-mta/postfix/files/postfix.service index 585849e..db585b3 100644 --- a/mail-mta/postfix/files/postfix.service +++ b/mail-mta/postfix/files/postfix.service @@ -15,6 +15,12 @@ ProtectSystem=full ReadWritePaths=-/etc/mail/aliases.db CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE MemoryDenyWriteExecute=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true [Install] WantedBy=multi-user.target