diff options
author | Tom Ryder <tom@sanctum.geek.nz> | 2020-09-13 01:19:27 +1200 |
---|---|---|
committer | Tom Ryder <tom@sanctum.geek.nz> | 2020-09-13 01:19:27 +1200 |
commit | 95719938f1e8e62577d4c5631607ac075b78b6d9 (patch) | |
tree | 50a8f566a0e45846c1d91b340f828c24ca1e1180 | |
parent | Merge branch 'release/v10.7.0' into develop (diff) | |
download | dotfiles-95719938f1e8e62577d4c5631607ac075b78b6d9.tar.gz dotfiles-95719938f1e8e62577d4c5631607ac075b78b6d9.zip |
Remove hardening from systemd units
I suspect most-to-all of this doesn't actually work, and probably
shouldn't deploy it unless and until I am.
-rw-r--r-- | newsboat/systemd/user/reload-newsboat.service | 20 | ||||
-rw-r--r-- | systemd/user/notify-email@.service | 11 |
2 files changed, 0 insertions, 31 deletions
diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service index 981ef7bc..2699697c 100644 --- a/newsboat/systemd/user/reload-newsboat.service +++ b/newsboat/systemd/user/reload-newsboat.service @@ -8,23 +8,3 @@ Type=oneshot LogsDirectory=newsboat LogsDirectoryMode=0700 ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=5 -# Hardening -IPAddressDeny=any -IPAddressAllow=localhost -KeyringMode=private -LockPersonality=true -MemoryDenyWriteExecute=true -NoNewPrivileges=true -RestrictAddressFamilies=AF_UNIX -RestrictAddressFamilies=~AF_UNIX -RestrictNamespaces=true -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources -UMask=0077 -# Slowing -Nice=10 -IOSchedulingClass=best-effort -IOSchedulingPriority=7 diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index bddee12a..9293c423 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -4,14 +4,3 @@ Description=unit status mailer service for %i [Service] Type=oneshot ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u' -# Hardening -DevicePolicy=closed -IPAddressDeny=any -PrivateMounts=true -PrivateTmp=true -ProtectControlGroups=true -ProtectHome=true -ProtectSystem=full -RemoveIPC=true -SystemCallErrorNumber=EPERM -UMask=027 |