Skip to content

Commit

Permalink
uuidd: Add hardening settings to uuidd.service
Browse files Browse the repository at this point in the history 
This limits what the uuid daemon has access to when it runs.

Further improving this with additional option or making
things even tighter is most likely possible.

Signed-off-by: Andreas Henriksson <[email protected]>
  • Loading branch information
@andhe @karelzak
andhe authored and karelzak committed Nov 29, 2018
1 parent 627a0ef commit df8d991
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions misc-utils/uuidd.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,17 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
Restart=no
User=uuidd
Group=uuidd
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateUsers=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX
MemoryDenyWriteExecute=yes
SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io

[Install]
Also=uuidd.socket

0 comments on commit df8d991

Please sign in to comment.