Added service restrictions to systemd

This commit is contained in:
Dennis Schwerdel 2019-12-06 10:21:07 +01:00
parent 55358b3561
commit 5e7752b097
2 changed files with 14 additions and 3 deletions

View File

@ -4,6 +4,7 @@ This project follows [semantic versioning](http://semver.org).
### Unreleased ### Unreleased
- [added] Added service restrictions to systemd
- [changed] Also drop privileges in foreground mode - [changed] Also drop privileges in foreground mode
- [changed] Set builders to Ubuntu 16.04 and CentOS 7 - [changed] Set builders to Ubuntu 16.04 and CentOS 7
- [changed] Set keepalive to 120 secs when NAT is detected - [changed] Set keepalive to 120 secs when NAT is detected

View File

@ -2,12 +2,22 @@
Description=VpnCloud network '%I' Description=VpnCloud network '%I'
After=network-online.target After=network-online.target
Wants=network-online.target Wants=network-online.target
Documentation=man:vpncloud(1)
[Service] [Service]
Type=forking Type=simple
ExecStart=/usr/bin/vpncloud --config /etc/vpncloud/%i.net --daemon --log-file /var/log/vpncloud-%i.log --stats-file /var/log/vpncloud-%i.stats --pid-file /run/vpncloud-%i.pid ExecStart=/usr/bin/vpncloud --config /etc/vpncloud/%i.net --log-file /var/log/vpncloud-%i.log --stats-file /var/log/vpncloud-%i.stats
WorkingDirectory=/etc/vpncloud WorkingDirectory=/etc/vpncloud
PIDFile=/run/vpncloud-%i.pid RestartSec=5s
Restart=on-failure
LimitNPROC=10
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=/var/log/vpncloud-%i.log /var/log/vpncloud-%i.stats
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target