add additional protections to the management daemon's runtime environment

2026-03-12 17:07:23 +01:00 · 2022-09-18 15:43:10 -04:00
parent 5e1dcc933f
commit 603b716ac2
2 changed files with 11 additions and 0 deletions
--- a/conf/mailinabox.service
+++ b/conf/mailinabox.service
@@ -5,6 +5,16 @@ After=multi-user.target
 [Service]
 Type=idle
 IgnoreSIGPIPE=False
+ProtectSystem=yes
+ProtectHome=read-only
+ReadWritePaths=STORAGE_ROOT
+PrivateDevices=yes
+PrivateNetwork=no
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+SyslogIdentifier=mailinabox
 ExecStart=/usr/local/lib/mailinabox/start

 [Install]