aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Ryder <tom@sanctum.geek.nz>2020-06-24 00:59:04 +1200
committerTom Ryder <tom@sanctum.geek.nz>2020-06-24 01:00:44 +1200
commitac9568c48b353e23706c9f2d8e09d9a9d091f866 (patch)
tree09156f5777658ada254ca79017f8dde26337b50e
parentAdd reload logs for Newsboat (diff)
downloaddotfiles-ac9568c48b353e23706c9f2d8e09d9a9d091f866.tar.gz
dotfiles-ac9568c48b353e23706c9f2d8e09d9a9d091f866.zip
Add hardening to Newsboat
-rw-r--r--newsboat/systemd/user/reload-newsboat.service18
1 files changed, 18 insertions, 0 deletions
diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service
index c1e5fab9..24cda424 100644
--- a/newsboat/systemd/user/reload-newsboat.service
+++ b/newsboat/systemd/user/reload-newsboat.service
@@ -8,3 +8,21 @@ Type=oneshot
LogsDirectory=newsboat
LogsDirectoryMode=0700
ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=6
+# Hardening
+KeyringMode=private
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+RestrictAddressFamilies=AF_UNIX
+RestrictAddressFamilies=~AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077
+# Slowing
+Nice=10
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7