commit 3b49879c08bcc8cfc7ef8e0df2327f99445e2b7d (tree) parent b8aed7552e37ddf02f283a3c6bf9a7af831fe4c3 Author: Motiejus Jakštys <desired.mta@gmail.com> Date: Sun, 12 Apr 2020 13:35:08 +0300 more hardening Diffstat:
| M | root/rslsync/etc/systemd/system/rslsync@.service | | | 3 | ++- |
| M | root/syncthing/etc/systemd/system/syncthing@.service.d/hardening.conf | | | 5 | +++++ |
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/root/rslsync/etc/systemd/system/rslsync@.service b/root/rslsync/etc/systemd/system/rslsync@.service @@ -12,13 +12,14 @@ ExecStartPre=/etc/resilio-sync/init_user_config.sh ExecStart=/usr/bin/rslsync --nodaemon --config /home/%i/.config/resilio-sync/config.json # Hardening -ProtectSystem=full +ProtectSystem=strict PrivateTmp=true SystemCallArchitectures=native MemoryDenyWriteExecute=true NoNewPrivileges=true TemporaryFileSystem=/home BindPaths=/home/%i/.config/resilio-sync +BindPaths=/bigdisk/annex2/R-Camera [Install] WantedBy=multi-user.target diff --git a/root/syncthing/etc/systemd/system/syncthing@.service.d/hardening.conf b/root/syncthing/etc/systemd/system/syncthing@.service.d/hardening.conf @@ -1,3 +1,8 @@ [Service] +ProtectSystem=strict TemporaryFileSystem=/home BindPaths=/home/%i/.config/syncthing +TemporaryFileSystem=/bigdisk +BindPaths=/bigdisk/annex2 +BindPaths=/bigdisk/public_html +BindPaths=/bigdisk/stud-cache