From 3176a4ddd956a16f95b14ccedf2f6aa344019ab9 Mon Sep 17 00:00:00 2001 From: matthiasdv Date: Mon, 6 Dec 2021 22:40:00 +0100 Subject: [PATCH] add more hardening to systemd service --- debian/jellyfin.service | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/debian/jellyfin.service b/debian/jellyfin.service index e215a85362..071f949dd9 100644 --- a/debian/jellyfin.service +++ b/debian/jellyfin.service @@ -13,7 +13,20 @@ TimeoutSec = 15 NoNewPrivileges=true SystemCallArchitectures=native RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -ProtectKernelModules=True +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +LockPersonality=true +PrivateTmp=true +PrivateDevices=false +PrivateUsers=true +RemoveIPC=true SystemCallFilter=~@clock SystemCallFilter=~@aio SystemCallFilter=~@chown