mirrors/maddy
1
0
Fork 0
mirror of https://github.com/foxcpp/maddy.git synced 2025-04-04 05:37:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

dist: Set ProtectClock, RestrictAddressFamilies and CapabilityBoundingSet

Browse source 
This increases the isolation of Maddy service. Maddy capabilities can be
bound to only CAP_NET_BIND_SERVICE. This also restricts the service to
only use Unix sockets, IPv4 and IPv6.
This commit is contained in:
Alexandre Iooss 2021-08-26 17:34:00 +02:00 committed by Max Mazurov
parent c0845fb27a
commit 34a8c6864d
2 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
dist/systemd/maddy.service vendored
View file

@ -29,7 +29,9 @@ ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectHostname=true
ProtectClock=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
# Additional sandboxing. You need to disable all of these options
# for privileged helper binaries (for system auth) to work correctly.
@ -50,6 +52,7 @@ KillSignal=SIGTERM
# Required to bind on ports lower than 1024.
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# Force all files created by maddy to be only readable by it.
UMask=0027

3
dist/systemd/maddy@.service vendored
View file

@ -25,7 +25,9 @@ PrivateHome=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectHostname=true
ProtectClock=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
DeviceAllow=/dev/syslog
# Additional sandboxing. You need to disable all of these options
@ -46,6 +48,7 @@ KillSignal=SIGTERM
# Required to bind on ports lower than 1024.
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# Force all files created by maddy to be only readable by it.
UMask=0027