From 337105e00fcb1f60dede8b8a42730fc5d3e5319d Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Wed, 14 Mar 2018 14:47:49 +0100 Subject: [PATCH] Merge #12102: Apply hardening measures in bitcoind systemd service file 79ddfad Apply hardening measurements in bitcoind systemd service file (Florian Schmaus) Pull request description: Adds typical systemd hardening measurements for network services. Tree-SHA512: 63e54d5a2e3e625c123c91e4392474226ec26c48709f2627f4d9d257a59f6960dd53ba4faa10cd355a89cad37fe351e2dbe8db79e681645b59081cf83e940438 --- contrib/init/dashd.service | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/contrib/init/dashd.service b/contrib/init/dashd.service index ea4548dfb2..574fd4bb41 100644 --- a/contrib/init/dashd.service +++ b/contrib/init/dashd.service @@ -19,7 +19,26 @@ User=dashcore Type=forking PIDFile=/run/dashd/dashd.pid Restart=on-failure + +# Hardening measures +#################### + +# Provide a private /tmp and /var/tmp. PrivateTmp=true +# Mount /usr, /boot/ and /etc read-only for the process. +ProtectSystem=full + +# Disallow the process and all of its children to gain +# new privileges through execve(). +NoNewPrivileges=true + +# Use a new /dev namespace only populated with API pseudo devices +# such as /dev/null, /dev/zero and /dev/random. +PrivateDevices=true + +# Deny the creation of writable and executable memory mappings. +MemoryDenyWriteExecute=true + [Install] WantedBy=multi-user.target