Harden systemd service (#6391)

This commit includes strict, but still compatible, service hardening for transmission-daemon.service. The main goal is a defense-in-depth strategy that protects users from unknown vulnerabilities in transmission. In practice, transmission does not use any of the features that are blocked in this hardening. However, this is still a network facing daemon that, by design, accepts connections from unknown peers. So better safe than sorry. This commit also installs the service via CMake Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com>
2023-12-24 21:48:18 -05:00 · 2023-12-24 21:48:18 -05:00 · b562983cbd
parent 501487b8cf
commit b562983cbd
2 changed files with 28 additions and 1 deletions
--- a/daemon/CMakeLists.txt
+++ b/daemon/CMakeLists.txt
@ -52,4 +52,10 @@ foreach(P daemon)
            FILES ${TR_NAME}-${P}.1
            DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
    endif()
+
+    if (WITH_SYSTEMD)
+        install(
+            FILES ${TR_NAME}-${P}.service
+            DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
+    endif()
 endforeach()
--- a/daemon/transmission-daemon.service
+++ b/daemon/transmission-daemon.service
@ -8,10 +8,31 @@ User=transmission
 Type=notify
 ExecStart=/usr/bin/transmission-daemon -f --log-level=error
 ExecReload=/bin/kill -s HUP $MAINPID
+
+# Hardening
+CapabilityBoundingSet=
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=true
 NoNewPrivileges=true
 MemoryDenyWriteExecute=true
-ProtectSystem=true
 PrivateTmp=true
+PrivateDevices=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=true
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM

 [Install]
 WantedBy=multi-user.target