Merge #12102: Apply hardening measures in bitcoind systemd service file

laanwj · laanwj · commit 7fb8fb43a630 · 2018-03-14T14:48:00.000+01:00
79ddfad Apply hardening measurements in bitcoind systemd service file (Florian Schmaus) Pull request description: Adds typical systemd hardening measurements for network services. Tree-SHA512: 63e54d5a2e3e625c123c91e4392474226ec26c48709f2627f4d9d257a59f6960dd53ba4faa10cd355a89cad37fe351e2dbe8db79e681645b59081cf83e940438
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
@@ -19,7 +19,26 @@ User=bitcoin
 Type=forking
 PIDFile=/run/bitcoind/bitcoind.pid
 Restart=on-failure
+
+# Hardening measures
+####################
+
+# Provide a private /tmp and /var/tmp.
 PrivateTmp=true
 
+# Mount /usr, /boot/ and /etc read-only for the process.
+ProtectSystem=full
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
+NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
+PrivateDevices=true
+
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
 [Install]
 WantedBy=multi-user.target
