From 564990964d01b146378e253e17f7414ac129e732 Mon Sep 17 00:00:00 2001 From: Julien Voisin Date: Thu, 4 Nov 2021 16:15:42 +0100 Subject: Add a bit of hardening to the systemd service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tested in an unprivileged lxc container, so it shouldn'tâ„¢ break anything. --- debian/jellyfin.service | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'debian') diff --git a/debian/jellyfin.service b/debian/jellyfin.service index b79cd47c7..e215a8536 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -10,5 +10,27 @@ ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELL Restart = on-failure TimeoutSec = 15 +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectKernelModules=True +SystemCallFilter=~@clock +SystemCallFilter=~@aio +SystemCallFilter=~@chown +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@keyring +SystemCallFilter=~@memlock +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@setuid +SystemCallFilter=~@swap +SystemCallErrorNumber=EPERM + + [Install] WantedBy = multi-user.target -- cgit v1.2.3 From 3176a4ddd956a16f95b14ccedf2f6aa344019ab9 Mon Sep 17 00:00:00 2001 From: matthiasdv Date: Mon, 6 Dec 2021 22:40:00 +0100 Subject: add more hardening to systemd service --- debian/jellyfin.service | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/jellyfin.service b/debian/jellyfin.service index e215a8536..071f949dd 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -13,7 +13,20 @@ TimeoutSec = 15 NoNewPrivileges=true SystemCallArchitectures=native RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -ProtectKernelModules=True +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +LockPersonality=true +PrivateTmp=true +PrivateDevices=false +PrivateUsers=true +RemoveIPC=true SystemCallFilter=~@clock SystemCallFilter=~@aio SystemCallFilter=~@chown -- cgit v1.2.3 From 92448ffabd3236b6637492f0937d252d9d35d0ad Mon Sep 17 00:00:00 2001 From: nlog Date: Sat, 18 Dec 2021 13:00:51 +0900 Subject: Remove ProtectClock for hardware encoding --- debian/jellyfin.service | 1 - 1 file changed, 1 deletion(-) (limited to 'debian') diff --git a/debian/jellyfin.service b/debian/jellyfin.service index 071f949dd..b86f40473 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -16,7 +16,6 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true -ProtectClock=true ProtectControlGroups=true ProtectHostname=true ProtectKernelLogs=true -- cgit v1.2.3