etc: Add hardening options to syncthing systemd services (fixes #5286) (#5351)

author: desbma <desbma@users.noreply.github.com> 2018-12-07 14:58:12 +0100
committer: Jakob Borg <jakob@kastelo.net> 2018-12-07 14:58:12 +0100
commit: 132789785d1bddf750b81a7ef86b9b54055bffc1 (patch)
tree: f90189961be4ff5b95c9c379d214df537ac07c4e /etc
parent: 002de7b6a0b0b9600782c4eeb430d5096609d64b (diff)
download: syncthing-132789785d1bddf750b81a7ef86b9b54055bffc1.tar.gz
syncthing-132789785d1bddf750b81a7ef86b9b54055bffc1.zip
2 files changed, 14 insertions, 0 deletions
diff --git a/etc/linux-systemd/system/syncthing@.service b/etc/linux-systemd/system/syncthing@.service
index 1de4274ad..30846b1c2 100644
--- a/etc/linux-systemd/system/syncthing@.service
+++ b/etc/linux-systemd/system/syncthing@.service
@@ -10,5 +10,12 @@ Restart=on-failure
 SuccessExitStatus=3 4
 RestartForceExitStatus=3 4
 
+# Hardening
+ProtectSystem=full
+PrivateTmp=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/etc/linux-systemd/user/syncthing.service b/etc/linux-systemd/user/syncthing.service
index 6a9f3b7af..1c0fe2296 100644
--- a/etc/linux-systemd/user/syncthing.service
+++ b/etc/linux-systemd/user/syncthing.service
@@ -8,5 +8,12 @@ Restart=on-failure
 SuccessExitStatus=3 4
 RestartForceExitStatus=3 4
 
+# Hardening
+ProtectSystem=full
+PrivateTmp=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
 [Install]
 WantedBy=default.target
author	desbma <desbma@users.noreply.github.com>	2018-12-07 14:58:12 +0100
committer	Jakob Borg <jakob@kastelo.net>	2018-12-07 14:58:12 +0100
commit	132789785d1bddf750b81a7ef86b9b54055bffc1 (patch)
tree	f90189961be4ff5b95c9c379d214df537ac07c4e /etc
parent	002de7b6a0b0b9600782c4eeb430d5096609d64b (diff)
download	syncthing-132789785d1bddf750b81a7ef86b9b54055bffc1.tar.gz syncthing-132789785d1bddf750b81a7ef86b9b54055bffc1.zip