38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From a4fe9c98d74447ca96ba59610368486640fdbfd6 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Wagner <dwagner@suse.de>
|
|
Date: Fri, 29 Sep 2023 14:28:16 +0200
|
|
Subject: [PATCH] systemd hardening effort
|
|
|
|
https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
|
|
Apply the recommended hardening settings but without
|
|
"ProtectKernelTunables=true" as we need write access to /sys.
|
|
|
|
Signed-off-by: Daniel Wagner <dwagner@suse.de>
|
|
---
|
|
nvmf-autoconnect/systemd/nvmf-connect@.service.in | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/nvmf-autoconnect/systemd/nvmf-connect@.service.in b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
|
|
index 5ba708..129cb4 100644
|
|
--- a/nvmf-autoconnect/systemd/nvmf-connect@.service.in
|
|
+++ b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
|
|
@@ -11,6 +11,14 @@ PartOf=nvmf-connect.target
|
|
Requires=nvmf-connect.target
|
|
|
|
[Service]
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+ProtectHostname=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+RestrictRealtime=true
|
|
Type=simple
|
|
Environment="CONNECT_ARGS=%i"
|
|
ExecStart=/bin/sh -c "@SBINDIR@/nvme connect-all --context=autoconnect --quiet `/bin/echo -e '${CONNECT_ARGS}'`"
|
|
--
|
|
2.42.0
|
|
|