Skip to content

Commit

Permalink
feat: Harden
Browse files Browse the repository at this point in the history
  • Loading branch information
@Kimiblock
Kimiblock committed Feb 22, 2024
1 parent b144548 commit 84e7621
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions snotify.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,6 @@ MemoryHigh=16M
MemoryMax=20M
OOMPolicy=kill

CPUQuota=3%


CapabilityBoundingSet=
AmbientCapabilities=

Expand All @@ -33,7 +30,11 @@ RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallArchitectures=native
UMask=0600
UMask=077
NoNewPrivileges=yes
KeyringMode=private
ProtectProc=invisible
ProcSubset=pid

SystemCallFilter=~@reboot
SystemCallFilter=~@raw-io
Expand All @@ -42,6 +43,11 @@ SystemCallFilter=~@mount
SystemCallFilter=~@module
SystemCallFilter=~@debug
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@obsolete
#SystemCallFilter=~@resources
#RestrictAddressFamilies=none
RestrictAddressFamilies=AF_UNIX
IPAddressAllow=localhost
PrivateUsers=yes
PrivateNetwork=yes

Expand Down

0 comments on commit 84e7621

Please sign in to comment.