aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Runge <dave@sleepmap.de>2019-07-07 13:58:27 +0200
committerDavid Runge <dave@sleepmap.de>2019-07-07 13:58:27 +0200
commit661c52862ca96b2787193929ee7c3a1d4d897cf9 (patch)
tree225d51708bb699f3bf8bf028bf71ebef67ad283c
parentdb183686ce59c72e656a095ad2c6d83d50dfb3b0 (diff)
downloaddotfiles-661c52862ca96b2787193929ee7c3a1d4d897cf9.tar.gz
dotfiles-661c52862ca96b2787193929ee7c3a1d4d897cf9.tar.bz2
dotfiles-661c52862ca96b2787193929ee7c3a1d4d897cf9.tar.xz
dotfiles-661c52862ca96b2787193929ee7c3a1d4d897cf9.zip
.config/systemd/user/mpd@.service: Adding hardening options.
-rw-r--r--.config/systemd/user/mpd@.service6
1 files changed, 6 insertions, 0 deletions
diff --git a/.config/systemd/user/mpd@.service b/.config/systemd/user/mpd@.service
index 6bde606..abf1504 100644
--- a/.config/systemd/user/mpd@.service
+++ b/.config/systemd/user/mpd@.service
@@ -7,6 +7,12 @@ Conflicts=mpd.service
ExecStart=/usr/bin/mpd --no-daemon %h/.config/mpd/mpd-%i.conf
LimitRTPRIO=75
LimitRTTIME=infinity
+ProtectSystem=yes
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
[Install]
WantedBy=default.target