-
-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #7286 from RubenKelevra/feat/systemd-service-harde…
…ning systemd: enable systemd hardening features
- Loading branch information
Showing
1 changed file
with
70 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# This file will be overwritten on package upgrades, avoid customizations here. | ||
# | ||
# To make persistant changes, create file in | ||
# "/etc/systemd/system/ipfs.service.d/overwrite.conf" with | ||
# `systemctl edit ipfs.service`. This file will be parsed after this | ||
# file has been parsed. | ||
# | ||
# To overwrite a variable, like ExecStart you have to specify it once | ||
# blank and a second time with a new value, like: | ||
# ExecStart= | ||
# ExecStart=/usr/bin/ipfs daemon --flag1 --flag2 | ||
# | ||
# For more info about custom unit files see systemd.unit(5). | ||
|
||
# This service file enables systemd-hardening features compatible with IPFS, | ||
# while breaking compability with the fuse-mount function. Use this one only | ||
# if you don't need the fuse-mount functionality. | ||
|
||
[Unit] | ||
Description=InterPlanetary File System (IPFS) daemon | ||
Documentation=https://docs.ipfs.io/ | ||
After=network.target | ||
|
||
[Service] | ||
# hardening | ||
ReadWritePaths="/var/lib/ipfs/" | ||
NoNewPrivileges=true | ||
ProtectSystem=strict | ||
ProtectKernelTunables=true | ||
ProtectKernelModules=true | ||
ProtectKernelLogs=true | ||
PrivateDevices=true | ||
DevicePolicy=closed | ||
ProtectControlGroups=true | ||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK | ||
ProtectHostname=true | ||
PrivateTmp=true | ||
ProtectClock=true | ||
LockPersonality=true | ||
RestrictNamespaces=true | ||
RestrictRealtime=true | ||
MemoryDenyWriteExecute=true | ||
SystemCallArchitectures=native | ||
SystemCallFilter=@system-service | ||
SystemCallFilter=~@privileged | ||
ProtectHome=true | ||
RemoveIPC=true | ||
RestrictSUIDSGID=true | ||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE | ||
|
||
# enable for 1-1024 port listening | ||
#AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
# enable to specify a custom path see docs/environment-variables.md for further documentations | ||
#Environment=IPFS_PATH=/custom/ipfs/path | ||
# enable to specify a higher limit for open files/connections | ||
#LimitNOFILE=1000000 | ||
|
||
#don't use swap | ||
MemorySwapMax=0 | ||
|
||
Type=notify | ||
User=ipfs | ||
Group=ipfs | ||
StateDirectory=ipfs | ||
ExecStart=/usr/bin/ipfs daemon --init --migrate | ||
Restart=on-failure | ||
KillSignal=SIGINT | ||
|
||
[Install] | ||
WantedBy=default.target |