diff options
| author |   Craig Andrews <candrews@integralblue.com> | 2016-06-30 10:27:06 -0400 |
|---|---|---|
| committer |   Matthew Thode <prometheanfire@gentoo.org> | 2016-06-30 17:40:50 -0500 |
| commit | 42bdffe7965568ff651899b35bfa6dceeb757d24 (patch) | |
| tree | cc699c659bb6e5e285791cc0b3d0f080546b46ba /net-misc/radvd | |
| parent | dev-games/hlsdk: remove deprecated games eclass (diff) | |
| download | gentoo-42bdffe7965568ff651899b35bfa6dceeb757d24.tar.gz gentoo-42bdffe7965568ff651899b35bfa6dceeb757d24.tar.bz2 gentoo-42bdffe7965568ff651899b35bfa6dceeb757d24.zip | |
net-misc/radvd: systemd hardening
Improve the systemd unit by having radvd never run as root, restricting capabilities as much as possible, and limiting file system access.
Gentoo-bug: 587588
Diffstat (limited to 'net-misc/radvd')
| -rw-r--r-- | net-misc/radvd/files/radvd.service | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/net-misc/radvd/files/radvd.service b/net-misc/radvd/files/radvd.service index d9095f625a9c..a3ac66f84963 100644 --- a/net-misc/radvd/files/radvd.service +++ b/net-misc/radvd/files/radvd.service @@ -4,12 +4,23 @@ Documentation=man:radvd(8) After=network.target [Service] +User=radvd +Group=radvd Type=forking -ExecStart=/usr/sbin/radvd --username radvd --logmethod stderr --debug 0 +ExecStartPre=/usr/sbin/radvd --configtest +ExecStart=/usr/sbin/radvd --logmethod stderr --debug 0 ExecReload=/usr/sbin/radvd --configtest ; \ /bin/kill -HUP $MAINPID CPUSchedulingPolicy=idle PIDFile=/run/radvd/radvd.pid +RuntimeDirectory=radvd +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=yes +NoNewPrivileges=yes [Install] WantedBy=multi-user.target |