From 79ddfad486da002c76cf1909800066374ba07c9a Mon Sep 17 00:00:00 2001
From: Florian Schmaus <flo@geekplace.eu>
Date: Sat, 6 Jan 2018 18:56:13 +0100
Subject: Apply hardening measurements in bitcoind systemd service file

Adds typical systemd hardening measurements for network services.
---
 contrib/init/bitcoind.service | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'contrib/init/bitcoind.service')

diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index ee113d7615..877abafd19 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -19,7 +19,26 @@ User=bitcoin
 Type=forking
 PIDFile=/run/bitcoind/bitcoind.pid
 Restart=on-failure
+
+# Hardening measures
+####################
+
+# Provide a private /tmp and /var/tmp.
 PrivateTmp=true
 
+# Mount /usr, /boot/ and /etc read-only for the process.
+ProtectSystem=full
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
+NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
+PrivateDevices=true
+
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
 [Install]
 WantedBy=multi-user.target
-- 
cgit v1.2.3