use systemd security features

author: Christian Hesse <mail@eworm.de> 2019-09-04 13:32:19 +0200
committer: Christian Hesse <mail@eworm.de> 2019-09-04 16:04:40 +0200
commit: 0fad7226c33c5fd1f94321986f0a96bd9fd5da04 (patch)
tree: 2b0de4377c9c94b8343519889bf4b1ebfc369f1b
parent: do not run in container (diff)
download: haveged-0fad7226c33c5fd1f94321986f0a96bd9fd5da04.tar.xz
haveged-0fad7226c33c5fd1f94321986f0a96bd9fd5da04.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/init.d/service.fedora b/init.d/service.fedora
index 0fe6ef6..fdc7bae 100644
--- a/init.d/service.fedora
+++ b/init.d/service.fedora
@@ -9,6 +9,11 @@ Before=sysinit.target shutdown.target systemd-journald.service
 ExecStart=/usr/sbin/haveged -w 1024 -v 1 --Foreground
 Restart=always
 SuccessExitStatus=137 143
+CapabilityBoundingSet=CAP_SYS_ADMIN
+NoNewPrivileges=on
+PrivateDevices=on
+PrivateNetwork=on
+ProtectSystem=full
 
 [Install]
 WantedBy=sysinit.target
author	Christian Hesse <mail@eworm.de>	2019-09-04 13:32:19 +0200
committer	Christian Hesse <mail@eworm.de>	2019-09-04 16:04:40 +0200
commit	0fad7226c33c5fd1f94321986f0a96bd9fd5da04 (patch)
tree	2b0de4377c9c94b8343519889bf4b1ebfc369f1b
parent	do not run in container (diff)
download	haveged-0fad7226c33c5fd1f94321986f0a96bd9fd5da04.tar.xz haveged-0fad7226c33c5fd1f94321986f0a96bd9fd5da04.zip