Andrea Pappacoda 15a9bea122 dist: harden systemd service unit ... With this patch the systemd service will now run in a hardened sandbox that limits the kinds of subsystems available to the unit. This improves the overall security of the system, as nextcloud-spreed-signaling becomes almost pointless to exploit. The most notable changes include: - The entire fie system is mounted read-only with ProtectSystem=strict - No binaries are executable, apart from /usr/bin/signaling, with NoExecPaths=/ and ExecPaths=/usr/bin/signaling - The service cannot see any user on the system apart from the one that is running the process, with PrivateUsers=yes - Most of the /proc subsystem is inaccessible, and things like system stats may be unavailabe, with ProcSubset=pid - All home directories are inaccessible, with ProtectHome=yes - The kinds of permitted system calls are limited, via SystemCallFilter= I highly recommend you to read the systemd.exec(5) manual page to fully understand what these options do and how they can protect the system. https://www.freedesktop.org/software/systemd/man/systemd.exec.html		2022-06-15 00:00:20 +02:00
..
systemd	dist: harden systemd service unit	2022-06-15 00:00:20 +02:00