diff options
| author | Max Kellermann <max@musicpd.org> | 2016-12-09 10:36:02 +0100 |
|---|---|---|
| committer | Max Kellermann <max@musicpd.org> | 2016-12-09 10:41:44 +0100 |
| commit | e3237f057dac679a5f2dd4fe6d020e98a5dfab44 (patch) | |
| tree | a88bc88e4d9012ad5d0dc07798b97e1b8fc559dd /systemd | |
| parent | 54d5d9d1ccb5c91ba9521918c5261758e8a294fb (diff) | |
systemd: more paranoid security settings
Diffstat (limited to 'systemd')
| -rw-r--r-- | systemd/mpd.service.in | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/systemd/mpd.service.in b/systemd/mpd.service.in index c02f55e8d..250ab521c 100644 --- a/systemd/mpd.service.in +++ b/systemd/mpd.service.in @@ -12,6 +12,15 @@ LimitRTTIME=infinity # disallow writing to /usr, /bin, /sbin, ... ProtectSystem=yes +# more paranoid security settings +NoNewPrivileges=yes +ProtectKernelTunables=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh* +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK +RestrictNamespaces=yes + [Install] WantedBy=multi-user.target Also=mpd.socket |