>From f3f8511b6e23076f9b2fcdca00d5b19b4343bc29 Mon Sep 17 00:00:00 2001 From: Topi Miettinen <toiwoton@xxxxxxxxx> Date: Thu, 4 Apr 2019 14:18:08 +0300 Subject: [PATCH] Harden systemd service Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> --- .../systemd/wpa_supplicant.service.in | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in index 75a37a8cd..d70e0bc36 100644 --- a/wpa_supplicant/systemd/wpa_supplicant.service.in +++ b/wpa_supplicant/systemd/wpa_supplicant.service.in @@ -4,9 +4,28 @@ Before=network.target Wants=network.target [Service] -Type=dbus BusName=fi.w1.wpa_supplicant1 +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW ExecStart=@BINDIR@/wpa_supplicant -u +IPAddressDeny=any +LimitMEMLOCK=0 +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_PACKET +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +TasksMax=1 +Type=dbus +UMask=0077 [Install] WantedBy=multi-user.target -- 2.20.1
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
