Fabre

#1094330 gpm: please use systemd security settings #1094330

Package:: gpm

Source:: gpm

Description:: General Purpose Mouse interface

Submitter:: Russell Coker

Date:: 2025-01-27 08:36:03 UTC

Severity:: normal

Tags:

#1094330#5

Date:: 2025-01-27 08:33:52 UTC

From:

To:

The following systemd security settings seem to work well, please consider
adding them to the default configuration.

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_SYS_TTY_CONFIG
ProtectSystem=true
PrivateTmp=true
MemoryDenyWriteExecute=true
RestrictSUIDSGID=false
NoNewPrivileges=false
ProtectHostname=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=false
PrivateDevices=false
RestrictNamespaces=true
ProtectClock=true
RestrictAddressFamilies=AF_PACKET AF_INET AF_INET6 AF_UNIX AF_NETLINK

LockPersonality=true
ProtectKernelModules=true
RestrictRealtime=true
ProtectSystem=true

UMask=077
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @reboot @resources @swap

#1094330 gpm: please use systemd security settings #1094330

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)