Stowage/rest-server
2
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-10-19 15:43:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #246 from eriksjolund/adjust_restrict_address_families

Browse source 
Improve security of systemd service rest-server.service by restricting network access
This commit is contained in:
Michael Eischer 2023-07-23 12:16:34 +02:00 committed by GitHub
commit 0bb8cd41d1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
examples/systemd/rest-server.service
View file

@ -2,9 +2,8 @@
Description=Rest Server
After=syslog.target
After=network.target
# if you want to use socket activation, make sure to require the socket here
#Requires=rest-server.socket
Requires=rest-server.socket
After=rest-server.socket
[Service]
Type=simple
@ -37,6 +36,11 @@ CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
# As the listen socket is created by systemd via the rest-server.socket unit, it is
# no longer necessary for rest-server to have access to the host network namespace.
PrivateNetwork=yes
PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
@ -51,7 +55,7 @@ ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictAddressFamilies=none
RestrictSUIDSGID=true
RestrictRealtime=true
# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host