report-basic: lock down the service

The basic approach is copied from systemd-journal-gatewayd.service,
with some additions to lock down unneeded network access.

diff --git a/units/systemd-report-basic.socket b/units/systemd-report-basic.socket
index bce93091968958fa81067ec80ca7255398389e0e..bfa4ea72568feade2d0f97c7afd9f5d8970211d0 100644 (file)
--- a/units/systemd-report-basic.socket
+++ b/units/systemd-report-basic.socket
@@ -16,6 +16,7 @@ ListenStream=/run/systemd/report/io.systemd.Basic
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes
+MaxConnectionsPerSource=16
 RemoveOnStop=yes
 
 [Install]

diff --git a/units/systemd-report-basic@.service.in b/units/systemd-report-basic@.service.in
index ad4e3fce708578353064e146ba7ead806dc7efde..a8a3b76e865c7cc1af4ed6e3b44f2e0ce89609e9 100644 (file)
--- a/units/systemd-report-basic@.service.in
+++ b/units/systemd-report-basic@.service.in
@@ -10,4 +10,28 @@
 Description=Report System Basic Facts
 
 [Service]
+CapabilityBoundingSet=
+DeviceAllow=
+DynamicUser=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateIPC=yes
+PrivateNetwork=yes
+PrivateTmp=disconnected
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
 ExecStart={{LIBEXECDIR}}/systemd-report-basic