Added service restrictions to systemd

2019-12-06 10:21:07 +01:00 · 2019-12-06 10:21:07 +01:00 · 5e7752b097
parent 55358b3561
commit 5e7752b097
2 changed files with 14 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@ This project follows [semantic versioning](http://semver.org).

 ### Unreleased

+- [added] Added service restrictions to systemd
 - [changed] Also drop privileges in foreground mode
 - [changed] Set builders to Ubuntu 16.04 and CentOS 7
 - [changed] Set keepalive to 120 secs when NAT is detected
--- a/assets/vpncloud@.service
+++ b/assets/vpncloud@.service
@ -2,12 +2,22 @@
 Description=VpnCloud network '%I'
 After=network-online.target
 Wants=network-online.target
+Documentation=man:vpncloud(1)

 [Service]
-Type=forking
-ExecStart=/usr/bin/vpncloud --config /etc/vpncloud/%i.net --daemon --log-file /var/log/vpncloud-%i.log --stats-file /var/log/vpncloud-%i.stats --pid-file /run/vpncloud-%i.pid
+Type=simple
+ExecStart=/usr/bin/vpncloud --config /etc/vpncloud/%i.net --log-file /var/log/vpncloud-%i.log --stats-file /var/log/vpncloud-%i.stats
 WorkingDirectory=/etc/vpncloud
-PIDFile=/run/vpncloud-%i.pid
+RestartSec=5s
+Restart=on-failure
+LimitNPROC=10
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWritePaths=/var/log/vpncloud-%i.log /var/log/vpncloud-%i.stats
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw

 [Install]
 WantedBy=multi-user.target