wpa_supplicant: harden systemd service
diff mbox series

Message ID be41ccf0-8b00-63fd-cce4-559ceea6f5e5@gmail.com
State New
Headers show
Series
  • wpa_supplicant: harden systemd service
Related show

Commit Message

Topi Miettinen April 4, 2019, 11:22 a.m. UTC

Patch
diff mbox series

From f3f8511b6e23076f9b2fcdca00d5b19b4343bc29 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Thu, 4 Apr 2019 14:18:08 +0300
Subject: [PATCH] Harden systemd service

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 .../systemd/wpa_supplicant.service.in         | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
index 75a37a8cd..d70e0bc36 100644
--- a/wpa_supplicant/systemd/wpa_supplicant.service.in
+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
@@ -4,9 +4,28 @@  Before=network.target
 Wants=network.target
 
 [Service]
-Type=dbus
 BusName=fi.w1.wpa_supplicant1
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 ExecStart=@BINDIR@/wpa_supplicant -u
+IPAddressDeny=any
+LimitMEMLOCK=0
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_PACKET
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+TasksMax=1
+Type=dbus
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target
-- 
2.20.1