uuidd: Add hardening settings to uuidd.service

This limits what the uuid daemon has access to when it runs.

Further improving this with additional option or making
things even tighter is most likely possible.

Signed-off-by: Andreas Henriksson <andreas@fatal.se>

diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index a43b3c3e0787a819caa0b77ded9af48c6b1446ef..b4c9c463500c064b0efa58c92b91b6123d0dea13 100644 (file)
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -8,6 +8,17 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
 Restart=no
 User=uuidd
 Group=uuidd
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateUsers=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
 
 [Install]
 Also=uuidd.socket