diff options
| author | Wladimir J. van der Laan <laanwj@gmail.com> | 2018-03-14 14:47:49 +0100 |
|---|---|---|
| committer | Wladimir J. van der Laan <laanwj@gmail.com> | 2018-03-14 14:48:00 +0100 |
| commit | 7fb8fb43a6303eac1cda11abf8b9980eddc4834f (patch) | |
| tree | 29f3a65410adebf8e9083bdd8c3de2c466bd071e | |
| parent | c4219ff3786e3f09678df8750a5d40208e0c9552 (diff) | |
| parent | 79ddfad486da002c76cf1909800066374ba07c9a (diff) | |
| download | bitcoin-7fb8fb43a6303eac1cda11abf8b9980eddc4834f.tar.xz | |
Merge #12102: Apply hardening measures in bitcoind systemd service file
79ddfad Apply hardening measurements in bitcoind systemd service file (Florian Schmaus)
Pull request description:
Adds typical systemd hardening measurements for network services.
Tree-SHA512: 63e54d5a2e3e625c123c91e4392474226ec26c48709f2627f4d9d257a59f6960dd53ba4faa10cd355a89cad37fe351e2dbe8db79e681645b59081cf83e940438
| -rw-r--r-- | contrib/init/bitcoind.service | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service index ee113d7615..877abafd19 100644 --- a/contrib/init/bitcoind.service +++ b/contrib/init/bitcoind.service @@ -19,7 +19,26 @@ User=bitcoin Type=forking PIDFile=/run/bitcoind/bitcoind.pid Restart=on-failure + +# Hardening measures +#################### + +# Provide a private /tmp and /var/tmp. PrivateTmp=true +# Mount /usr, /boot/ and /etc read-only for the process. +ProtectSystem=full + +# Disallow the process and all of its children to gain +# new privileges through execve(). +NoNewPrivileges=true + +# Use a new /dev namespace only populated with API pseudo devices +# such as /dev/null, /dev/zero and /dev/random. +PrivateDevices=true + +# Deny the creation of writable and executable memory mappings. +MemoryDenyWriteExecute=true + [Install] WantedBy=multi-user.target |