Apply hardening measurements in bitcoind systemd service file

Adds typical systemd hardening measurements for network services.
author: Florian Schmaus <flo@geekplace.eu> 2018-01-06 18:56:13 +0100
committer: Florian Schmaus <flo@geekplace.eu> 2018-03-14 08:11:07 +0100
commit: 79ddfad486da002c76cf1909800066374ba07c9a (patch)
tree: 6cde529a632951fb9c6956105dece0f14488a06c /contrib/init
parent: 6acd8700bc0ee1d10207a362c1e07372ba274041 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index ee113d7615..877abafd19 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -19,7 +19,26 @@ User=bitcoin
 Type=forking
 PIDFile=/run/bitcoind/bitcoind.pid
 Restart=on-failure
+
+# Hardening measures
+####################
+
+# Provide a private /tmp and /var/tmp.
 PrivateTmp=true
 
+# Mount /usr, /boot/ and /etc read-only for the process.
+ProtectSystem=full
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
+NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
+PrivateDevices=true
+
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
 [Install]
 WantedBy=multi-user.target
author	Florian Schmaus <flo@geekplace.eu>	2018-01-06 18:56:13 +0100
committer	Florian Schmaus <flo@geekplace.eu>	2018-03-14 08:11:07 +0100
commit	79ddfad486da002c76cf1909800066374ba07c9a (patch)
tree	6cde529a632951fb9c6956105dece0f14488a06c /contrib/init
parent	6acd8700bc0ee1d10207a362c1e07372ba274041 (diff)