Accepting request 932210 from home:jsegitz:branches:systemdhardening:server:proxy
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/932210 OBS-URL: https://build.opensuse.org/package/show/server:proxy/shadowsocks-libev?expand=0&rev=48
This commit is contained in:
Martin Pluskal
Git OBS Bridge
parent
62c618cdf5
commit
077335e24c
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-client.pid
|
||||
ExecStart=/usr/bin/ss-local -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-client.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-client@%i.pid
|
||||
ExecStart=/usr/bin/ss-local -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-client@%i.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-manager.pid
|
||||
ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-manager.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-nat.pid
|
||||
ExecStart=/usr/bin/ss-nat -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-nat.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-nat@%i.pid
|
||||
ExecStart=/usr/bin/ss-nat -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-nat@%i.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-redir.pid
|
||||
ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-redir.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-redir@%i.pid
|
||||
ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-redir@%i.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-server.pid
|
||||
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-server.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-server@%i.pid
|
||||
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-server@%i.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-tunnel.pid
|
||||
ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks/shadowsocks-libev-config.json -f /var/run/shadowsocks-libev-tunnel.pid -u --fast-open
|
||||
|
||||
@ -4,6 +4,19 @@ Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/var/run/shadowsocks-libev-tunnel@%i.pid
|
||||
ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks/%i.json -f /var/run/shadowsocks-libev-tunnel@%i.pid -u --fast-open
|
||||
|
||||
@ -1,3 +1,19 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 16 16:05:33 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Added hardening to systemd service(s) (bsc#1181400). Modified:
|
||||
* shadowsocks-libev-client.service
|
||||
* shadowsocks-libev-client@.service
|
||||
* shadowsocks-libev-manager.service
|
||||
* shadowsocks-libev-nat.service
|
||||
* shadowsocks-libev-nat@.service
|
||||
* shadowsocks-libev-redir.service
|
||||
* shadowsocks-libev-redir@.service
|
||||
* shadowsocks-libev-server.service
|
||||
* shadowsocks-libev-server@.service
|
||||
* shadowsocks-libev-tunnel.service
|
||||
* shadowsocks-libev-tunnel@.service
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Sep 19 10:47:47 UTC 2020 - opensuse-packaging <opensuse-packaging@opensuse.org>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user