aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--newsboat/systemd/user/reload-newsboat.service18
1 files changed, 18 insertions, 0 deletions
diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service
index c1e5fab9..24cda424 100644
--- a/newsboat/systemd/user/reload-newsboat.service
+++ b/newsboat/systemd/user/reload-newsboat.service
@@ -8,3 +8,21 @@ Type=oneshot
LogsDirectory=newsboat
LogsDirectoryMode=0700
ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=6
+# Hardening
+KeyringMode=private
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+RestrictAddressFamilies=AF_UNIX
+RestrictAddressFamilies=~AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077
+# Slowing
+Nice=10
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7