Alexandre Vicenzi
3254c9c99d
- Removed PrivateDevices setting and allow access to /dev/net/tun for the service. Updated harden_tinc@.service.patch (also harden_tinc.service.patch to keep it in sync, even thought nothing really happens in there) (bsc#1181400) OBS-URL: https://build.opensuse.org/request/show/1058251 OBS-URL: https://build.opensuse.org/package/show/network:vpn/tinc?expand=0&rev=32
26 lines
788 B
Diff
26 lines
788 B
Diff
Index: tinc-1.0.36/systemd/tinc@.service.in
|
|
===================================================================
|
|
--- tinc-1.0.36.orig/systemd/tinc@.service.in
|
|
+++ tinc-1.0.36/systemd/tinc@.service.in
|
|
@@ -7,6 +7,20 @@ PartOf=tinc.service
|
|
ReloadPropagatedFrom=tinc.service
|
|
|
|
[Service]
|
|
+# added automatically, for details please see
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+RestrictRealtime=true
|
|
+# end of automatic additions
|
|
+DeviceAllow=/dev/net/tun rwm
|
|
+DevicePolicy=closed
|
|
Type=simple
|
|
WorkingDirectory=@sysconfdir@/tinc/%i
|
|
ExecStart=@sbindir@/tincd -n %i -D
|