Improve security hardening of example systemd service unit

m-rtijn · m-rtijn · commit 9110e04de6df · 2022-08-15T15:45:39.000+02:00
The current systemd-analyze security exposure score is now a mere 1.3
(tested on an up-to-date install of Ubuntu Server 20.04)
diff --git a/ippls.service b/ippls.service
@@ -8,13 +8,42 @@ Description=gunicorn instance for ippls
 After=network.target
 
 [Service]
-User=nobody
+#User=nobody
 WorkingDirectory=/opt/ippls/src
 Environment="PATH=/opt/ippls/ipplsvenv/bin"
 ExecStart=/opt/ippls/ipplsvenv/bin/gunicorn --workers 3 --bind 127.0.0.1:5000 wsgi:app
 ExecReload=/bin/kill -s HUP $MAINPID
 ExecStop=/bin/kill -s TERM $MAINPID
+
+# Extra security hardening options
+
+# Empty because ippls does not require any special capability. See capabilities(7) for more information.
+CapabilityBoundingSet=
+DynamicUser=true
+IPAddressAllow=127.0.0.0/8
+IPAddressDeny=any # the allow-list is evaluated before the deny list. Since the default is to allow, we need to deny everything.
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
 PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+UMask=077
 
 [Install]
 WantedBy=multi-user.target
