Merge pull request #6953 from matthiasdv/mdv/harden-systemd-service

Add more hardening to systemd service
2025-12-13 12:33:01 +03:00 · 2021-12-07 19:46:45 +01:00
parent 9cafa2cab4 3176a4ddd9
commit dd8b9e9d23
1 changed files with 14 additions and 1 deletions
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -13,7 +13,20 @@ TimeoutSec = 15
 NoNewPrivileges=true
 SystemCallArchitectures=native
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-ProtectKernelModules=True
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+PrivateTmp=true
+PrivateDevices=false
+PrivateUsers=true
+RemoveIPC=true
 SystemCallFilter=~@clock
 SystemCallFilter=~@aio
 SystemCallFilter=~@chown