08e8cd1fec
OBS-URL: https://build.opensuse.org/request/show/966438 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nvme-cli?expand=0&rev=55
30 lines
955 B
Diff
30 lines
955 B
Diff
Subject: systemd hardening effort
|
|
|
|
https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
|
|
Apply the recommended hardening settings but without
|
|
"ProtectKernelTunables=true" as we need write access to /sys.
|
|
|
|
Signed-off-by: Daniel Wagner <dwagner@suse.de>
|
|
---
|
|
nvmf-autoconnect/systemd/nvmf-connect@.service.in | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
--- a/nvmf-autoconnect/systemd/nvmf-connect@.service.in
|
|
+++ b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
|
|
@@ -9,6 +9,14 @@ PartOf=nvmf-connect.target
|
|
Requires=nvmf-connect.target
|
|
|
|
[Service]
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+ProtectHostname=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+RestrictRealtime=true
|
|
Type=simple
|
|
Environment="CONNECT_ARGS=%i"
|
|
ExecStart=/bin/sh -c "@SBINDIR@/nvme connect-all --quiet `/bin/echo -e '${CONNECT_ARGS}'`"
|