diff options
author | Tom Ryder <tom@sanctum.geek.nz> | 2020-06-23 22:43:36 +1200 |
---|---|---|
committer | Tom Ryder <tom@sanctum.geek.nz> | 2020-06-23 22:43:36 +1200 |
commit | 4a006b2bddccf1523b638d3c09f31ead464ca88f (patch) | |
tree | 2eac6177f8e97fd37726280dc8392e8660637d09 | |
parent | Define newsboat systemd service as oneshot (diff) | |
download | dotfiles-4a006b2bddccf1523b638d3c09f31ead464ca88f.tar.gz dotfiles-4a006b2bddccf1523b638d3c09f31ead464ca88f.zip |
Add hardening for systemd notify task
-rw-r--r-- | systemd/user/notify-email@.service | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index 9293c423..bddee12a 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -4,3 +4,14 @@ Description=unit status mailer service for %i [Service] Type=oneshot ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u' +# Hardening +DevicePolicy=closed +IPAddressDeny=any +PrivateMounts=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectSystem=full +RemoveIPC=true +SystemCallErrorNumber=EPERM +UMask=027 |