aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Ryder <tom@sanctum.geek.nz>2020-06-23 22:43:36 +1200
committerTom Ryder <tom@sanctum.geek.nz>2020-06-23 22:43:36 +1200
commit4a006b2bddccf1523b638d3c09f31ead464ca88f (patch)
tree2eac6177f8e97fd37726280dc8392e8660637d09
parentDefine newsboat systemd service as oneshot (diff)
downloaddotfiles-4a006b2bddccf1523b638d3c09f31ead464ca88f.tar.gz
dotfiles-4a006b2bddccf1523b638d3c09f31ead464ca88f.zip
Add hardening for systemd notify task
-rw-r--r--systemd/user/notify-email@.service11
1 files changed, 11 insertions, 0 deletions
diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service
index 9293c423..bddee12a 100644
--- a/systemd/user/notify-email@.service
+++ b/systemd/user/notify-email@.service
@@ -4,3 +4,14 @@ Description=unit status mailer service for %i
[Service]
Type=oneshot
ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u'
+# Hardening
+DevicePolicy=closed
+IPAddressDeny=any
+PrivateMounts=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectSystem=full
+RemoveIPC=true
+SystemCallErrorNumber=EPERM
+UMask=027