1
0
Fork 0
mirror of https://github.com/transmission/transmission synced 2024-12-23 08:13:27 +00:00
transmission/daemon/transmission-daemon.service
LaserEyess b562983cbd
Harden systemd service (#6391)
This commit includes strict, but still compatible, service hardening for
transmission-daemon.service. The main goal is a defense-in-depth
strategy that protects users from unknown vulnerabilities in
transmission.

In practice, transmission does not use any of the features that are
blocked in this hardening. However, this is still a network facing
daemon that, by design, accepts connections from unknown peers. So
better safe than sorry.

This commit also installs the service via CMake

Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com>
2023-12-24 20:48:18 -06:00

38 lines
855 B
Desktop File

[Unit]
Description=Transmission BitTorrent Daemon
Wants=network-online.target
After=network-online.target
[Service]
User=transmission
Type=notify
ExecStart=/usr/bin/transmission-daemon -f --log-level=error
ExecReload=/bin/kill -s HUP $MAINPID
# Hardening
CapabilityBoundingSet=
DevicePolicy=closed
KeyringMode=private
LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
PrivateTmp=true
PrivateDevices=true
ProtectClock=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectSystem=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectProc=invisible
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target