Skip to content

Commit

Permalink
feat: Attempt to Harden User service
Browse files Browse the repository at this point in the history
  • Loading branch information
@Kimiblock
Kimiblock committed Feb 5, 2024
1 parent 490a565 commit 230f973
Showing 1 changed file with 25 additions and 1 deletion.
26 changes: 25 additions & 1 deletion snotify.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,33 @@ After=dbus.service
[Service]
ExecStart=/usr/bin/snotify
Restart=always
RestartSec=1
RestartSec=1s
MemoryHigh=16M
MemoryMax=20M
OOMPolicy=kill


CapabilityBoundingSet=
AmbientCapabilities=

ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallArchitectures=native

[Install]
WantedBy=default.target

0 comments on commit 230f973

Please sign in to comment.