#1094330 gpm: please use systemd security settings

Package:
gpm
Source:
gpm
Description:
General Purpose Mouse interface
Submitter:
Russell Coker
Date:
2025-01-27 08:36:03 UTC
Severity:
normal
Tags:
#1094330#5
Date:
2025-01-27 08:33:52 UTC
From:
To:
The following systemd security settings seem to work well, please consider
adding them to the default configuration.

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_SYS_TTY_CONFIG
ProtectSystem=true
PrivateTmp=true
MemoryDenyWriteExecute=true
RestrictSUIDSGID=false
NoNewPrivileges=false
ProtectHostname=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=false
PrivateDevices=false
RestrictNamespaces=true
ProtectClock=true
RestrictAddressFamilies=AF_PACKET AF_INET AF_INET6 AF_UNIX AF_NETLINK

LockPersonality=true
ProtectKernelModules=true
RestrictRealtime=true
ProtectSystem=true

UMask=077
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @reboot @resources @swap