diff options
| author | Cody Robibero <cody@robibe.ro> | 2021-11-06 15:21:52 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-06 15:21:52 -0600 |
| commit | b217f84d501eef5b3968d502b660eccd1f0c5844 (patch) | |
| tree | ec26ac4e1666799f41b7ea628091c16ca76243b8 | |
| parent | 3c69283e2cf90911e7748c75bc0b6fe92138c2b5 (diff) | |
| parent | 564990964d01b146378e253e17f7414ac129e732 (diff) | |
Merge pull request #6778 from jvoisin/patch-1
Add a bit of hardening to the systemd service
| -rw-r--r-- | debian/jellyfin.service | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/debian/jellyfin.service b/debian/jellyfin.service index b79cd47c7..e215a8536 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -10,5 +10,27 @@ ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELL Restart = on-failure TimeoutSec = 15 +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectKernelModules=True +SystemCallFilter=~@clock +SystemCallFilter=~@aio +SystemCallFilter=~@chown +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@keyring +SystemCallFilter=~@memlock +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@setuid +SystemCallFilter=~@swap +SystemCallErrorNumber=EPERM + + [Install] WantedBy = multi-user.target |