mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Add SystemCallFilter=@system-service

Browse source
This commit is contained in:
Carl Tashian 2021-01-28 09:45:20 -08:00
parent 2af73881d7
commit 9fd0964e1c
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
systemd/step-ca.service
View file

@ -30,6 +30,7 @@ SecureBits=keep-caps
NoNewPrivileges=yes
; Sandboxing
; This works with YubiKey PIV (via pcscd), and presumably with YubiHSM2 via http connector
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
@ -44,8 +45,8 @@ LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true
RestrictRealtime=true
; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2:
PrivateDevices=true
SystemCallFilter=@system-service
MemoryDenyWriteExecute=true
ReadWriteDirectories=/etc/step-ca/db