systemd: more paranoid security settings

e3237f05 · Max Kellermann · 54d5d9d1 · e3237f05 · e3237f05
Commit e3237f05 authored Dec 09, 2016 by Max Kellermann
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

NEWS NEWS +1 -0

mpd.service.in systemd/mpd.service.in +9 -0

No files found.
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ ver 0.19.20 (not yet released)
 * output
  - winmm: fix 8 bit playback
 * fix gcc 7.0 -Wimplicit-fallthrough
+* systemd: paranoid security settings

 ver 0.19.19 (2016/08/23)
 * decoder

--- a/systemd/mpd.service.in
+++ b/systemd/mpd.service.in
@@ -12,6 +12,15 @@ LimitRTTIME=infinity
 # disallow writing to /usr, /bin, /sbin, ...
 ProtectSystem=yes

+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
 [Install]
 WantedBy=multi-user.target
 Also=mpd.socket