diff --git a/contrib/init/dashd.service b/contrib/init/dashd.service index ea4548dfb2..574fd4bb41 100644 --- a/contrib/init/dashd.service +++ b/contrib/init/dashd.service @@ -19,7 +19,26 @@ User=dashcore Type=forking PIDFile=/run/dashd/dashd.pid Restart=on-failure + +# Hardening measures +#################### + +# Provide a private /tmp and /var/tmp. PrivateTmp=true +# Mount /usr, /boot/ and /etc read-only for the process. +ProtectSystem=full + +# Disallow the process and all of its children to gain +# new privileges through execve(). +NoNewPrivileges=true + +# Use a new /dev namespace only populated with API pseudo devices +# such as /dev/null, /dev/zero and /dev/random. +PrivateDevices=true + +# Deny the creation of writable and executable memory mappings. +MemoryDenyWriteExecute=true + [Install] WantedBy=multi-user.target