Skip to content

Commit

Permalink
mail-mta/postfix: additional systemd hardening
Browse files Browse the repository at this point in the history 
Other distributions are doing the same thing, and these additions are recommended by systemd. See https://lwn.net/Articles/709755/

(cherry picked from commit 388f5ca)
Signed-off-by: Robin H. Johnson <[email protected]>
Fixes: gentoo#3629
  • Loading branch information
@candrews @robbat2
candrews authored and robbat2 committed Jan 29, 2017
1 parent 52021dc commit 6d1bfd6
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions mail-mta/postfix/files/postfix.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ ProtectSystem=full
ReadWritePaths=-/etc/mail/aliases.db
CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true

[Install]
WantedBy=multi-user.target

0 comments on commit 6d1bfd6

Please sign in to comment.