further restrict systemd service file
JensTimmerman opened this issue · comments
-
PrivateTmp=yes
-
ProtectSystem=strict
-
ProtectHome=yes
-
ProtectClock=yes
-
ProtectHostname=yes
-
ProtectControlGroups=yes
-
ProtectHostname=yes
-
ProtectKernelLogs=yes
-
ProtectKernelModules=yes
-
ProtectKernelTunables=yes
-
ProtectProc=invisible
-
PrivateDevices=yes
-
PrivateNetwork=yes
-
NoNewPrivileges=yes
-
User=vaultwarden
If we want to go further, we could also consider:
CapabilityBoundingSet=
DevicePolicy=closed
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
PrivateUsers=yes
RemoveIPC=yes
RestrictAddressFamilies=
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=
SystemCallArchitectures=native