From: Christian Hesse <m...@eworm.de> ProtectSystem=strict mounts the entire file system hierarchy read-only, except for the API file system subtrees /dev, /proc and /sys (which can be protected using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
ProtectHome=true makes the directories /home, /root and /run/user inaccessible and empty for the process. See systemd.exec(5) [0] for details. [0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html Signed-off-by: Christian Hesse <m...@eworm.de> --- distro/systemd/openvpn-client@.service | 2 ++ distro/systemd/openvpn-server@.service | 2 ++ 2 files changed, 4 insertions(+) diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-client@.service index 5618af3..3a9b7e2 100644 --- a/distro/systemd/openvpn-client@.service +++ b/distro/systemd/openvpn-client@.service @@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETU LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw +ProtectSystem=strict +ProtectHome=true [Install] WantedBy=multi-user.target diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service index b9b4dba..a9e57b2 100644 --- a/distro/systemd/openvpn-server@.service +++ b/distro/systemd/openvpn-server@.service @@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RA LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw +ProtectSystem=strict +ProtectHome=true [Install] WantedBy=multi-user.target -- 2.10.2 ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
