systemd: Harden stafd/stacd service files

Signed-off-by: Martin Belanger <martin.belanger@dell.com>
linux-nvme · Apr 29, 2024 · adae004 · adae004
1 parent a0f6948
commit adae004
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/usr/lib/systemd/system/stacd.in.service b/usr/lib/systemd/system/stacd.in.service
@@ -28,5 +28,14 @@ RuntimeDirectory=stacd
 CacheDirectory=stacd
 RuntimeDirectoryPreserve=yes
 
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+
 [Install]
 WantedBy=multi-user.target
diff --git a/usr/lib/systemd/system/stafd.in.service b/usr/lib/systemd/system/stafd.in.service
@@ -31,5 +31,14 @@ RuntimeDirectory=stafd
 CacheDirectory=stafd
 RuntimeDirectoryPreserve=yes
 
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+
 [Install]
 WantedBy=multi-user.target