systemd service: paranoia mode

DanielOgorchock · Oct 1, 2022 · 8dd8342 · 8dd8342
1 parent f9a6691
commit 8dd8342
Showing 1 changed file with 20 additions and 5 deletions.
diff --git a/systemd/joycond.service b/systemd/joycond.service
@@ -4,12 +4,27 @@ After=network.target
 
 [Service]
 ExecStart=/usr/bin/joycond
-WorkingDirectory=/root
-StandardOutput=inherit
-StandardError=inherit
 Restart=always
-User=root
+
+D1eviceAllow=char-input
+DeviceAllow=/dev/uinput
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+ProtectClock=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectProc=noaccess
+ProtectSystem=strict
+RestrictAddressFamilies=AF_NETLINK
+RestrictNetworkInterfaces=
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SocketBindDeny=any
 
 [Install]
 WantedBy=multi-user.target
-