Alexandre Vicenzi
3254c9c99d
- Removed PrivateDevices setting and allow access to /dev/net/tun for the service. Updated harden_tinc@.service.patch (also harden_tinc.service.patch to keep it in sync, even thought nothing really happens in there) (bsc#1181400) OBS-URL: https://build.opensuse.org/request/show/1058251 OBS-URL: https://build.opensuse.org/package/show/network:vpn/tinc?expand=0&rev=32
26 lines
743 B
Diff
26 lines
743 B
Diff
Index: tinc-1.0.36/systemd/tinc.service.in
|
|
===================================================================
|
|
--- tinc-1.0.36.orig/systemd/tinc.service.in
|
|
+++ tinc-1.0.36/systemd/tinc.service.in
|
|
@@ -10,6 +10,20 @@ After=network.target
|
|
Wants=network.target
|
|
|
|
[Service]
|
|
+# added automatically, for details please see
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+RestrictRealtime=true
|
|
+# end of automatic additions
|
|
+DeviceAllow=/dev/net/tun rwm
|
|
+DevicePolicy=closed
|
|
Type=oneshot
|
|
RemainAfterExit=yes
|
|
ExecStart=/bin/true
|