From: Christian Hesse <mail@eworm.de>
Date: Tue, 27 Dec 2016 22:18:32 +0000 (+0100)
Subject: systemd: Add more security feature for systemd units
X-Git-Tag: v2.5_beta1~753
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76096c605fcac4815674b6ae76ac1f31f03a8186;p=thirdparty%2Fopenvpn.git

systemd: Add more security feature for systemd units

ProtectSystem=true mounts the /usr and /boot directories read-only.

ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.

See systemd.exec(5) [0] for details.

v2: Replace ProtectSystem=strict with ProtectSystem=true. Some
    configurations may want to write to /etc or the like.

[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20161227221832.610-1-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13743.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
---

diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in
index 1be1e3322..49e3f51cc 100644
--- a/distro/systemd/openvpn-client@.service.in
+++ b/distro/systemd/openvpn-client@.service.in
@@ -15,6 +15,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETU
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
index 3dccaf253..9a8a2c730 100644
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
@@ -15,6 +15,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RA
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target