titanz/Linux-Setup-Scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
titanz
2025-01-27 23:04:14 +01:00
commit 938b3e730e
42 changed files with 1454 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
etc/systemd/system/fwupd-refresh.service.d/override.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
ExecStart=/usr/bin/fwupdmgr update

35
etc/systemd/system/unbound.service.d/override-chroot.conf Normal file
View File

@@ -0,0 +1,35 @@
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
# This breaks using socket options like 'so-rcvbuf'.
ProtectKernelTunables=true
ProtectProc=invisible
# ProtectSystem with strict does not work - need further testing.
ProtectSystem=full
#RuntimeDirectory=unbound
#ConfigurationDirectory=unbound
#StateDirectory=unbound
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
# Below rules are needed when chroot is enabled (usually it's enabled by default).
# If chroot is disabled like chroot: "" then they may be safely removed.
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log

26
etc/systemd/system/unbound.service.d/override.conf Normal file
View File

@@ -0,0 +1,26 @@
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_DAC_OVERRIDE
MemoryDenyWriteExecute=true
#NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
# This breaks using socket options like 'so-rcvbuf'.
ProtectKernelTunables=true
ProtectProc=invisible
# ProtectSystem with strict does not work - need further testing.
ProtectSystem=full
#RuntimeDirectory=unbound
#ConfigurationDirectory=unbound
#StateDirectory=unbound
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes