Skip to content

Commit 5f27755

Browse files
thestingerthestinger
committed
dovecot: extend systemd service hardening
1 parent 98fa6e5 commit 5f27755

1 file changed

Lines changed: 24 additions & 0 deletions

File tree

systemd/system/dovecot.service.d/override.conf

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,29 @@
11
[Service]
2+
CapabilityBoundingSet=
3+
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_SYS_CHROOT
4+
LockPersonality=yes
5+
MemoryDenyWriteExecute=yes
6+
NoNewPrivileges=yes
7+
PrivateIPC=yes
8+
ProcSubset=pid
9+
ProtectClock=yes
10+
ProtectControlGroups=yes
11+
ProtectHome=yes
12+
ProtectHostname=yes
13+
ProtectKernelLogs=yes
14+
ProtectKernelModules=yes
15+
ProtectKernelTunables=yes
16+
ProtectProc=invisible
17+
ProtectSystem=strict
18+
ReadWritePaths=/srv/mail /var/lib/dovecot /var/spool/postfix/private
219
Restart=always
320
RestartMaxDelaySec=10s
421
RestartSec=100ms
522
RestartSteps=5
23+
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
24+
RestrictNamespaces=yes
25+
RestrictRealtime=yes
26+
RestrictSUIDSGID=yes
27+
SystemCallArchitectures=native
28+
SystemCallFilter=@system-service chroot
29+
SystemCallFilter=~@obsolete

0 commit comments

Comments
 (0)