Mislav Bozicevic
890d073251
Further hardened the systemd service configuration. OBS-URL: https://build.opensuse.org/request/show/1301944 OBS-URL: https://build.opensuse.org/package/show/server:mail/OpenSMTPD?expand=0&rev=8
93 lines
2.6 KiB
Desktop File
93 lines
2.6 KiB
Desktop File
[Unit]
|
|
Description=Simple Mail Transfer Protocol daemon
|
|
After=network-online.target
|
|
ConditionFileIsExecutable=/usr/sbin/smtpd
|
|
|
|
[Service]
|
|
ExecStartPre=/usr/sbin/smtpd -n
|
|
ExecStart=/usr/sbin/smtpd
|
|
Type=forking
|
|
PIDFile=@rundir@/smtpd.pid
|
|
Restart=on-abnormal
|
|
PrivateDevices=true
|
|
ProtectSystem=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
LockPersonality=true
|
|
RestrictRealtime=true
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=~@clock
|
|
SystemCallFilter=~@cpu-emulation
|
|
SystemCallFilter=~@debug
|
|
SystemCallFilter=~@module
|
|
SystemCallFilter=~@reboot
|
|
SystemCallFilter=~@sandbox
|
|
SystemCallFilter=~@swap
|
|
SystemCallFilter=~memfd_create
|
|
CapabilityBoundingSet=~CAP_AUDIT_CONTROL
|
|
CapabilityBoundingSet=~CAP_AUDIT_READ
|
|
CapabilityBoundingSet=~CAP_AUDIT_WRITE
|
|
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
|
|
CapabilityBoundingSet=~CAP_BPF
|
|
CapabilityBoundingSet=~CAP_CHECKPOINT_RESTORE
|
|
CapabilityBoundingSet=~CAP_DAC_OVERRIDE
|
|
CapabilityBoundingSet=~CAP_IPC_LOCK
|
|
CapabilityBoundingSet=~CAP_IPC_OWNER
|
|
CapabilityBoundingSet=~CAP_KILL
|
|
CapabilityBoundingSet=~CAP_LEASE
|
|
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
|
|
CapabilityBoundingSet=~CAP_MAC_ADMIN
|
|
CapabilityBoundingSet=~CAP_MAC_OVERRIDE
|
|
CapabilityBoundingSet=~CAP_MKNOD
|
|
CapabilityBoundingSet=~CAP_NET_ADMIN
|
|
CapabilityBoundingSet=~CAP_NET_RAW
|
|
CapabilityBoundingSet=~CAP_PERFMON
|
|
CapabilityBoundingSet=~CAP_SETFCAP
|
|
CapabilityBoundingSet=~CAP_SETPCAP
|
|
CapabilityBoundingSet=~CAP_SYSLOG
|
|
CapabilityBoundingSet=~CAP_SYS_BOOT
|
|
CapabilityBoundingSet=~CAP_SYS_MODULE
|
|
CapabilityBoundingSet=~CAP_SYS_PACCT
|
|
CapabilityBoundingSet=~CAP_SYS_PTRACE
|
|
CapabilityBoundingSet=~CAP_SYS_RAWIO
|
|
CapabilityBoundingSet=~CAP_SYS_TIME
|
|
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
|
CapabilityBoundingSet=~CAP_WAKE_ALARM
|
|
RestrictAddressFamilies=~AF_APPLETALK
|
|
RestrictAddressFamilies=~AF_AX25
|
|
RestrictAddressFamilies=~AF_BLUETOOTH
|
|
RestrictAddressFamilies=~AF_CAN
|
|
RestrictAddressFamilies=~AF_DECnet
|
|
RestrictAddressFamilies=~AF_IB
|
|
RestrictAddressFamilies=~AF_IPX
|
|
RestrictAddressFamilies=~AF_KCM
|
|
RestrictAddressFamilies=~AF_LLC
|
|
RestrictAddressFamilies=~AF_MPLS
|
|
RestrictAddressFamilies=~AF_PACKET
|
|
RestrictAddressFamilies=~AF_PPPOX
|
|
RestrictAddressFamilies=~AF_RDS
|
|
RestrictAddressFamilies=~AF_TIPC
|
|
RestrictAddressFamilies=~AF_VSOCK
|
|
RestrictAddressFamilies=~AF_X25
|
|
RestrictAddressFamilies=~AF_XDP
|
|
RestrictNamespaces=~cgroup
|
|
RestrictNamespaces=~ipc
|
|
RestrictNamespaces=~mnt
|
|
RestrictNamespaces=~net
|
|
RestrictNamespaces=~pid
|
|
RestrictNamespaces=~user
|
|
RestrictNamespaces=~uts
|
|
MemoryDenyWriteExecute=true
|
|
InaccessiblePaths=/dev/shm
|
|
NoNewPrivileges=true
|
|
RestrictSUIDSGID=true
|
|
IPAddressDeny=multicast
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|