mirror of
https://github.com/transmission/transmission
synced 2024-12-22 15:54:57 +00:00
b562983cbd
This commit includes strict, but still compatible, service hardening for transmission-daemon.service. The main goal is a defense-in-depth strategy that protects users from unknown vulnerabilities in transmission. In practice, transmission does not use any of the features that are blocked in this hardening. However, this is still a network facing daemon that, by design, accepts connections from unknown peers. So better safe than sorry. This commit also installs the service via CMake Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com>
38 lines
855 B
Desktop File
38 lines
855 B
Desktop File
[Unit]
|
|
Description=Transmission BitTorrent Daemon
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
User=transmission
|
|
Type=notify
|
|
ExecStart=/usr/bin/transmission-daemon -f --log-level=error
|
|
ExecReload=/bin/kill -s HUP $MAINPID
|
|
|
|
# Hardening
|
|
CapabilityBoundingSet=
|
|
DevicePolicy=closed
|
|
KeyringMode=private
|
|
LockPersonality=true
|
|
NoNewPrivileges=true
|
|
MemoryDenyWriteExecute=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectClock=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelModules=true
|
|
ProtectSystem=true
|
|
ProtectHostname=true
|
|
ProtectKernelTunables=true
|
|
ProtectProc=invisible
|
|
RestrictNamespaces=true
|
|
RestrictSUIDSGID=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
RestrictRealtime=true
|
|
SystemCallFilter=@system-service
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|