transmission/daemon/transmission-daemon.service

[Unit]
Description=Transmission BitTorrent Daemon
Wants=network-online.target
After=network-online.target
Documentation=man:transmission-daemon(1)

[Service]
User=transmission
Type=notify
ExecStart=/usr/bin/transmission-daemon -f --log-level=error
ExecReload=/bin/kill -s HUP $MAINPID

# Hardening
CapabilityBoundingSet=
DevicePolicy=closed
KeyringMode=private
LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectSystem=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectProc=invisible
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target
(trunk daemon) add a systemd service file for transmission-daemon. Suggestions / improvements welcomed at https://trac.transmissionbt.com/ticket/4503 2013-06-09 18:18:09 +00:00			`[Unit]`
			`Description=Transmission BitTorrent Daemon`
fix(daemon): wait for network-online.target (#2721) network.target does not guarantee interfaces are fully configured, which can result in bound addresses not being available when the daemon starts. This leads to errors on start-up and potentially broken connectivity. network-online.target does provide these guarantees, but needs a slightly different dependency configuration with Wants= on top of After= (cf. systemd.special(7)). Closes #2720. 2022-03-01 03:25:07 +00:00			`Wants=network-online.target`
			`After=network-online.target`
systemd service documentation key (#6781) Co-authored-by: Barak A. Pearlmutter <barak+git@pearlmutter.net> 2024-05-25 16:51:51 +00:00			`Documentation=man:transmission-daemon(1)`
(trunk daemon) add a systemd service file for transmission-daemon. Suggestions / improvements welcomed at https://trac.transmissionbt.com/ticket/4503 2013-06-09 18:18:09 +00:00
			`[Service]`
			`User=transmission`
in transmission-daemon.service, remove unnecessary comments and change Type from simple to notify since transmission-daemon uses sd_notify() 2013-06-09 19:54:58 +00:00			`Type=notify`
daemon: deprecated --log-error -> --log-level=error (#3201) 2022-06-05 06:13:11 +00:00			`ExecStart=/usr/bin/transmission-daemon -f --log-level=error`
(trunk, daemon) #5503: add an ExecReload rule to the systemd service file. 2014-01-21 02:19:48 +00:00			`ExecReload=/bin/kill -s HUP $MAINPID`
Harden systemd service (#6391) This commit includes strict, but still compatible, service hardening for transmission-daemon.service. The main goal is a defense-in-depth strategy that protects users from unknown vulnerabilities in transmission. In practice, transmission does not use any of the features that are blocked in this hardening. However, this is still a network facing daemon that, by design, accepts connections from unknown peers. So better safe than sorry. This commit also installs the service via CMake Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com> 2023-12-25 02:48:18 +00:00
			`# Hardening`
			`CapabilityBoundingSet=`
			`DevicePolicy=closed`
			`KeyringMode=private`
			`LockPersonality=true`
daemon: harden transmission-daemon.service Systemd 227 introduced the option to make a service disallow elevating privileges. 2018-12-28 21:23:33 +00:00			`NoNewPrivileges=true`
daemon: deny memory wx in transmission-daemon.service (#2573) Attempts to create memory mappings that are writable and executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory segments as executable are prohibited. There's no reason transmission should be doing that. If it does, it's because of malicious code exploiting a vulnerability. See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute= 2022-02-05 04:08:51 +00:00			`MemoryDenyWriteExecute=true`
Add ProtectSystem and PrivateTmp to systemd service (#1452) ProtectSystem mounts /boot, /efi and /usr as read only, basically disallowing the daemon from ever writing there. PrivateTmp sets up a file system namespace for /tmp and /var/tmp/ basically hiding it from other processes. Co-authored-by: Charles Kerr <charles@charleskerr.com> 2022-02-13 20:06:55 +00:00			`PrivateTmp=true`
Harden systemd service (#6391) This commit includes strict, but still compatible, service hardening for transmission-daemon.service. The main goal is a defense-in-depth strategy that protects users from unknown vulnerabilities in transmission. In practice, transmission does not use any of the features that are blocked in this hardening. However, this is still a network facing daemon that, by design, accepts connections from unknown peers. So better safe than sorry. This commit also installs the service via CMake Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com> 2023-12-25 02:48:18 +00:00			`PrivateDevices=true`
			`ProtectClock=true`
			`ProtectKernelLogs=true`
			`ProtectControlGroups=true`
			`ProtectKernelModules=true`
			`ProtectSystem=true`
			`ProtectHostname=true`
			`ProtectKernelTunables=true`
			`ProtectProc=invisible`
			`RestrictNamespaces=true`
			`RestrictSUIDSGID=true`
			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6`
			`RestrictRealtime=true`
			`SystemCallFilter=@system-service`
			`SystemCallArchitectures=native`
			`SystemCallErrorNumber=EPERM`
(trunk daemon) add a systemd service file for transmission-daemon. Suggestions / improvements welcomed at https://trac.transmissionbt.com/ticket/4503 2013-06-09 18:18:09 +00:00
			`[Install]`
			`WantedBy=multi-user.target`