Improve systemd unit security (#677)
Applied suggestions from `systemd-analyze` and also using StateDirectory to ensure /var/lib/navidrome exists and is writeable
This commit is contained in:
parent
8419a2a5d1
commit
62ccbaad8b
|
@ -3,7 +3,6 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic
|
Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic
|
||||||
After=remote-fs.target network.target
|
After=remote-fs.target network.target
|
||||||
AssertPathExists=/var/lib/navidrome
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -13,6 +12,7 @@ User=navidrome
|
||||||
Group=navidrome
|
Group=navidrome
|
||||||
Type=simple
|
Type=simple
|
||||||
ExecStart=/usr/bin/navidrome
|
ExecStart=/usr/bin/navidrome
|
||||||
|
StateDirectory=navidrome
|
||||||
WorkingDirectory=/var/lib/navidrome
|
WorkingDirectory=/var/lib/navidrome
|
||||||
TimeoutStopSec=20
|
TimeoutStopSec=20
|
||||||
KillMode=process
|
KillMode=process
|
||||||
|
@ -21,18 +21,25 @@ Restart=on-failure
|
||||||
EnvironmentFile=-/etc/sysconfig/navidrome
|
EnvironmentFile=-/etc/sysconfig/navidrome
|
||||||
|
|
||||||
# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||||
|
CapabilityBoundingSet=
|
||||||
DevicePolicy=closed
|
DevicePolicy=closed
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
|
LockPersonality=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
|
SystemCallFilter=@system-service
|
||||||
ReadWritePaths=/var/lib/navidrome
|
SystemCallFilter=~@privileged @resources
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
UMask=0066
|
||||||
|
|
||||||
# You can uncomment the following line if you're not using the jukebox This
|
# You can uncomment the following line if you're not using the jukebox This
|
||||||
# will prevent navidrome from accessing any real (physical) devices
|
# will prevent navidrome from accessing any real (physical) devices
|
||||||
|
|
Loading…
Reference in New Issue