TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-18 20:51:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

tailscaled.service: Harden systemd unit somewhat (#1062)

Browse Source 
While not a full capability lockdown of the systemd unit, this still
improves sandboxing and security of the running process a good deal.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
This commit is contained in:
Frederik “Freso” S. Olesen 2020-12-25 00:14:58 +00:00 committed by GitHub
parent 1a42cef3a2
commit a9a80ab372
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/tailscaled/tailscaled.service
View File

@ -20,5 +20,16 @@ CacheDirectory=tailscale
CacheDirectoryMode=0750 CacheDirectoryMode=0750
Type=notify Type=notify
LockPersonality=true
MemoryDenyWriteExecute=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/etc/
RestrictSUIDSGID=true
SystemCallArchitectures=native
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target