Merge pull request #6953 from matthiasdv/mdv/harden-systemd-service

Add more hardening to systemd service
author: Claus Vium <cvium@users.noreply.github.com> 2021-12-07 19:46:45 +0100
committer: GitHub <noreply@github.com> 2021-12-07 19:46:45 +0100
commit: dd8b9e9d2367893f2865d07dbe3a11c1adf6c631 (patch)
tree: 965e9a8c41b1923fce67032d7c00e14e558d8cef
parent: 9cafa2cab4c1a87598983db069b3aa55d5f42125 (diff)
parent: 3176a4ddd956a16f95b14ccedf2f6aa344019ab9 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/debian/jellyfin.service b/debian/jellyfin.service
index e215a8536..071f949dd 100644
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -13,7 +13,20 @@ TimeoutSec = 15
 NoNewPrivileges=true
 SystemCallArchitectures=native
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-ProtectKernelModules=True
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+PrivateTmp=true
+PrivateDevices=false
+PrivateUsers=true
+RemoveIPC=true
 SystemCallFilter=~@clock
 SystemCallFilter=~@aio
 SystemCallFilter=~@chown
author	Claus Vium <cvium@users.noreply.github.com>	2021-12-07 19:46:45 +0100
committer	GitHub <noreply@github.com>	2021-12-07 19:46:45 +0100
commit	dd8b9e9d2367893f2865d07dbe3a11c1adf6c631 (patch)
tree	965e9a8c41b1923fce67032d7c00e14e558d8cef
parent	9cafa2cab4c1a87598983db069b3aa55d5f42125 (diff)
parent	3176a4ddd956a16f95b14ccedf2f6aa344019ab9 (diff)