diff options
| author | Bastien Nocera <hadess@hadess.net> | 2018-05-03 12:59:41 +0200 |
|---|---|---|
| committer | Zeeshan Ali <zeenix@collabora.co.uk> | 2018-05-03 15:54:01 +0200 |
| commit | 0f64cd1a2e809d447c25d9b8ca3b7ec7eac2cf40 (patch) | |
| tree | 52f9c877c885ed54fa02c81c12e09c8749d5a845 /data | |
| parent | bc43c0ce01cff90d87806abb0924305078f163ff (diff) | |
| download | geoclue-0f64cd1a2e809d447c25d9b8ca3b7ec7eac2cf40.tar.gz | |
Lock down systemd service file
Use systemd's service file to lockdown the geoclue daemon to stop
eventual security problems.
https://bugs.freedesktop.org/show_bug.cgi?id=106190
Diffstat (limited to 'data')
| -rw-r--r-- | data/geoclue.service.in | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/data/geoclue.service.in b/data/geoclue.service.in index dc77b48..6449d30 100644 --- a/data/geoclue.service.in +++ b/data/geoclue.service.in @@ -6,3 +6,25 @@ Type=dbus BusName=org.freedesktop.GeoClue2 User=@dbus_srv_user@ ExecStart=@libexecdir@/geoclue + +# Filesystem lockdown +ProtectSystem=strict +ProtectKernelTunables=true +ProtectControlGroups=true +ProtectHome=true +PrivateTmp=true + +# Network +PrivateNetwork=false + +# Execute Mappings +MemoryDenyWriteExecute=true + +# Modules +ProtectKernelModules=true + +# Real-time +RestrictRealtime=true + +# Privilege escalation +NoNewPrivileges=true |