Merge tag 'v0.19.20'

release v0.19.20
author: Max Kellermann <max@musicpd.org> 2016-12-09 20:18:54 +0100
committer: Max Kellermann <max@musicpd.org> 2016-12-09 20:18:54 +0100
commit: ae7e25ea657de864fd5e1ab7b420343c2e9a1db1 (patch)
tree: 18d638fa3e0b886eb7464ea0f7eea9c9752a3b2e /systemd
parent: 5013de6770e19173e17b6fa72b11b34df0fa85a6 (diff)
parent: fef45d469c104934635ee7791ce7dced454e8f52 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/systemd/mpd.service.in b/systemd/mpd.service.in
index f48c0f0e4..7b0218bf2 100644
--- a/systemd/mpd.service.in
+++ b/systemd/mpd.service.in
@@ -14,6 +14,15 @@ LimitRTTIME=infinity
 # disallow writing to /usr, /bin, /sbin, ...
 ProtectSystem=yes
 
+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
 [Install]
 WantedBy=multi-user.target
 Also=mpd.socket
author	Max Kellermann <max@musicpd.org>	2016-12-09 20:18:54 +0100
committer	Max Kellermann <max@musicpd.org>	2016-12-09 20:18:54 +0100
commit	ae7e25ea657de864fd5e1ab7b420343c2e9a1db1 (patch)
tree	18d638fa3e0b886eb7464ea0f7eea9c9752a3b2e /systemd
parent	5013de6770e19173e17b6fa72b11b34df0fa85a6 (diff)
parent	fef45d469c104934635ee7791ce7dced454e8f52 (diff)