diff options
| author | Julien Voisin <jvoisin@users.noreply.github.com> | 2021-11-04 16:15:42 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-04 16:15:42 +0100 |
| commit | 564990964d01b146378e253e17f7414ac129e732 (patch) | |
| tree | 82369ac865c5f73e66f7be0ce249b4f5129968e7 | |
| parent | 5aadf8c291df8a9f9a3bb6d4407979fc456ab6d4 (diff) | |
Add a bit of hardening to the systemd service
Tested in an unprivileged lxc container, so it shouldn'tâ„¢ break anything.
| -rw-r--r-- | debian/jellyfin.service | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/debian/jellyfin.service b/debian/jellyfin.service index b79cd47c7..e215a8536 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -10,5 +10,27 @@ ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELL Restart = on-failure TimeoutSec = 15 +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectKernelModules=True +SystemCallFilter=~@clock +SystemCallFilter=~@aio +SystemCallFilter=~@chown +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@keyring +SystemCallFilter=~@memlock +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@setuid +SystemCallFilter=~@swap +SystemCallErrorNumber=EPERM + + [Install] WantedBy = multi-user.target |