summaryrefslogtreecommitdiff
path: root/bus/example-system-hardening-without-traditional-activation.conf
diff options
context:
space:
mode:
authorTopi Miettinen <toiwoton@gmail.com>2019-03-23 22:18:11 +0200
committerTopi Miettinen <toiwoton@gmail.com>2019-03-25 21:51:33 +0200
commit94b5b236aa0743bacb2139c62d5a6e0143845634 (patch)
treee831a75a07afd47bc9fcfb140595de56c193e431 /bus/example-system-hardening-without-traditional-activation.conf
parentdf9cb47c3aa28a385bd6254b80f1e55c66321071 (diff)
downloaddbus-94b5b236aa0743bacb2139c62d5a6e0143845634.tar.gz
Configure option to disable traditional activation
Traditional activation could be disabled if all services use SystemdService activation instead. Provide an example of a hardened DBus systemd service drop-in file for such a setup. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'bus/example-system-hardening-without-traditional-activation.conf')
-rw-r--r--bus/example-system-hardening-without-traditional-activation.conf31
1 files changed, 31 insertions, 0 deletions
diff --git a/bus/example-system-hardening-without-traditional-activation.conf b/bus/example-system-hardening-without-traditional-activation.conf
new file mode 100644
index 00000000..2665c9a8
--- /dev/null
+++ b/bus/example-system-hardening-without-traditional-activation.conf
@@ -0,0 +1,31 @@
+# Example drop-in file (dbus.service.d/override.conf) for systemd
+# service. This version has many hardening options enabled and thus
+# it is only suitable for cases where only systemd activation is used
+# or traditional activation disabled by compiling dbus with
+# --disable-traditional-activation.
+
+[Service]
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_RESOURCE CAP_AUDIT_WRITE
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/urandom r
+DevicePolicy=strict
+IPAddressDeny=any
+LimitMEMLOCK=0
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadOnlyPaths=-/
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap memfd_create mincore mlock mlockall personality
+UMask=0077
View Lorry Controller Status