Rooba
/
boinc
mirror of https://github.com/BOINC/boinc.git
1
0
Fork 0
Code Issues 1 Packages Projects Releases Wiki Activity

systemd hardening 

Improve security by isolating boinc as much as possible.

See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for explanations of each option
This commit is contained in:
Craig Andrews 2018-12-05 09:24:04 -05:00
parent 8901d49c16
commit 78035bc14e
No known key found for this signature in database
GPG Key ID: 4589B16C461AB092
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
client/scripts/boinc-client.service.in
View File

@ -4,8 +4,12 @@ Documentation=man:boinc(1)
After=network-online.target After=network-online.target
[Service] [Service]
ProtectHome=true
Type=simple Type=simple
ProtectHome=true
PrivateTmp=true
ProtectSystem=strict
ProtectControlGroups=true
ReadWritePaths=-/var/lib/boinc -/etc/boinc-client
Nice=10 Nice=10
User=boinc User=boinc
WorkingDirectory=/var/lib/boinc WorkingDirectory=/var/lib/boinc
@ -14,6 +18,20 @@ ExecStop=@exec_prefix@/bin/boinccmd --quit
ExecReload=@exec_prefix@/bin/boinccmd --read_cc_config ExecReload=@exec_prefix@/bin/boinccmd --read_cc_config
ExecStopPost=/bin/rm -f lockfile ExecStopPost=/bin/rm -f lockfile
IOSchedulingClass=idle IOSchedulingClass=idle
# The following options prevent setuid root as they imply NoNewPrivileges=true
# Since Atlas requires setuid root, they break Atlas
# In order to improve security, if you're not using Atlas,
# Add these options to the [Service] section of an override file using
# sudo systemctl edit boinc-client.service
#NoNewPrivileges=true
#ProtectKernelModules=true
#ProtectKernelTunables=true
#RestrictRealtime=true
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
#RestrictNamespaces=true
#PrivateUsers=true
#CapabilityBoundingSet=
#MemoryDenyWriteExecute=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target