-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtrassh.service
54 lines (47 loc) · 1.31 KB
/
trassh.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[Unit]
Description=TraSSH dæmon
Requires=trassh.socket
[Service]
ExecStart=/usr/local/bin/trassh
StandardInput=file:/usr/local/share/trassh.dat
DynamicUser=true
CPUSchedulingPolicy=idle
IOSchedulingClass=idle
TimerSlackNSec=150ms
OOMScoreAdjust=1000
LimitFSIZE=0
LimitNPROC=1
LimitNOFILE=8
LimitAS=640K
SystemCallArchitectures=native
SystemCallFilter=arch_prctl write fstat mmap setsockopt accept getsockopt sendto nanosleep recvfrom close
; The above syscall whitelist is, I think, enough to (heavily!) sandbox,
; and everything that follows is redundant/useless (because less stringent.)
;
; The first next group appeases me tho, as an extra explicit safety net.
;
; The second one is only to please `systemd-analyze security trassh.service',
; which is dumb; see https://GitHub.com/systemd/systemd/issues/15758
TemporaryFileSystem=/:ro
PrivateUsers=true
PrivateNetwork=true
ProtectHostname=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
CapabilityBoundingSet=
LockPersonality=true
RestrictRealtime=true
RestrictNamespaces=true
DevicePolicy=strict
PrivateDevices=true
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
RestrictAddressFamilies=AF_UNIX
RestrictAddressFamilies=~AF_UNIX
RestrictSUIDSGID=true
UMask=0777