From: Clément Pit-Claudel <cpitclaudel@users.noreply.github.com>
Date: Sun, 10 Mar 2019 16:43:39 +0000 (+0000)
Subject: Harden ympd.service
X-Git-Url: http://gitweb.hugovil.com/?a=commitdiff_plain;h=0917b467e8842b745367ee109c7a6e3388b339c3;p=ympd.git

Harden ympd.service

This offers a measure of protection against potential ympd vulnerabilities.  See
https://www.freedesktop.org/software/systemd/man/systemd.exec.html for
documentation.
---

diff --git a/contrib/ympd.service b/contrib/ympd.service
index 49559c7..c3a33f9 100644
--- a/contrib/ympd.service
+++ b/contrib/ympd.service
@@ -3,6 +3,26 @@ Description=ympd server daemon
 Requires=network.target local-fs.target
 
 [Service]
+User=ympd
+DynamicUser=yes
+MountAPIVFS=yes
+RemoveIPC=yes
+CapabilityBoundingSet=
+LockPersonality=yes
+PrivateUsers=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+
 Environment=MPD_HOST=localhost
 Environment=MPD_PORT=6600
 Environment=MPD_PASSWORD=