We've been running rpcbind 1.2.6 with it in openSUSE since 2021. NOTE: In systemd < 244 (released Nov 2019) some of these options are unknown and will produce warnings, see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort Cc: Johannes Segitz <jsegitz@xxxxxxxx> Signed-off-by: Petr Vorel <pvorel@xxxxxxx> --- systemd/rpcbind.service.in | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in index c5bbd5e..272e55a 100644 --- a/systemd/rpcbind.service.in +++ b/systemd/rpcbind.service.in @@ -10,6 +10,16 @@ Requires=rpcbind.socket Wants=rpcbind.target [Service] +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true Type=notify # distro can provide a drop-in adding EnvironmentFile=-/??? if needed. EnvironmentFile=-/etc/rpcbind.conf -- 2.45.2
