forked from pool/rtkit
Marcus Meissner
f9a3701ea0
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/932177 OBS-URL: https://build.opensuse.org/package/show/Base:System/rtkit?expand=0&rev=46
24 lines
785 B
Diff
24 lines
785 B
Diff
Index: rtkit-0.13/rtkit-daemon.service.in
|
|
===================================================================
|
|
--- rtkit-0.13.orig/rtkit-daemon.service.in
|
|
+++ rtkit-0.13/rtkit-daemon.service.in
|
|
@@ -25,6 +25,18 @@ BusName=org.freedesktop.RealtimeKit1
|
|
NotifyAccess=main
|
|
CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
|
|
PrivateNetwork=yes
|
|
+# added automatically, for details please see
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+ProtectHome=true
|
|
+PrivateDevices=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelModules=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectControlGroups=true
|
|
+# end of automatic additions
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|