Add a bit of hardening to the systemd service
Tested in an unprivileged lxc container, so it shouldn't™ break anything.
This commit is contained in:
Julien Voisin
GitHub
parent
5aadf8c291
commit
564990964d
22
debian/jellyfin.service
vendored
22
debian/jellyfin.service
vendored
|
|
@ -10,5 +10,27 @@ ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELL
|
|||
Restart = on-failure
|
||||
TimeoutSec = 15
|
||||
|
||||
NoNewPrivileges=true
|
||||
SystemCallArchitectures=native
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
ProtectKernelModules=True
|
||||
SystemCallFilter=~@clock
|
||||
SystemCallFilter=~@aio
|
||||
SystemCallFilter=~@chown
|
||||
SystemCallFilter=~@cpu-emulation
|
||||
SystemCallFilter=~@debug
|
||||
SystemCallFilter=~@keyring
|
||||
SystemCallFilter=~@memlock
|
||||
SystemCallFilter=~@module
|
||||
SystemCallFilter=~@mount
|
||||
SystemCallFilter=~@obsolete
|
||||
SystemCallFilter=~@privileged
|
||||
SystemCallFilter=~@raw-io
|
||||
SystemCallFilter=~@reboot
|
||||
SystemCallFilter=~@setuid
|
||||
SystemCallFilter=~@swap
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
|
||||
[Install]
|
||||
WantedBy = multi-user.target
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user