app-admin/vaultwarden tighten security

author: Marcin Deranek <marcin.deranek@slonko.net> 2024-03-04 09:20:10 +0100
committer: Marcin Deranek <marcin.deranek@slonko.net> 2024-03-04 09:38:48 +0100
commit: 3dddbef6f8f3360e5401be880ecc80e30741a2de (patch)
tree: 86ab125ea133dd1b31b6a68a474d3427fb3714cb /app-admin/vaultwarden/files
parent: ae7da0aff6178d44dc3bbfad09aaa47b2d01a7cb (diff)
download: portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.tar.gz
portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.tar.bz2
portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.zip
1 files changed, 27 insertions, 14 deletions
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service
index 12ba0d4..4b6cbfc 100644
--- a/app-admin/vaultwarden/files/vaultwarden.service
+++ b/app-admin/vaultwarden/files/vaultwarden.service
@@ -4,34 +4,47 @@ Documentation=https://github.com/dani-garcia/vaultwarden
 After=network.target mariadb.service mysqld.service postgresql.service
 
 [Service]
+ExecStart=/usr/bin/vaultwarden
+WorkingDirectory=/var/lib/vaultwarden
 User=vaultwarden
 Group=vaultwarden
-Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
-EnvironmentFile=/etc/vaultwarden.env
-ExecStart=/usr/bin/vaultwarden
+
+# Allow vaultwarden to bind ports in the range of 0-1024
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=yes
 
 LimitNOFILE=1048576
-LimitNPROC=256
+UMask=0077
+LimitNPROC=64
 
+ProtectSystem=strict
+ProtectHome=true
+ReadWriteDirectories=/var/lib/vaultwarden
+PrivateUsers=yes
 PrivateTmp=true
 PrivateDevices=true
-ProtectHome=true
-ProtectSystem=strict
+ProtectHostname=yes
+ProtectClock=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
+ProtectKernelLogs=yes
 ProtectControlGroups=yes
-
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
 
-SystemCallArchitectures=native
 SystemCallFilter=@system-service
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
 
-WorkingDirectory=/var/lib/vaultwarden
-ReadWriteDirectories=/var/lib/vaultwarden
-# Allow vaultwarden to bind ports in the range of 0-1024
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
+EnvironmentFile=/etc/vaultwarden.env
 
 [Install]
 WantedBy=multi-user.target
author	Marcin Deranek <marcin.deranek@slonko.net>	2024-03-04 09:20:10 +0100
committer	Marcin Deranek <marcin.deranek@slonko.net>	2024-03-04 09:38:48 +0100
commit	3dddbef6f8f3360e5401be880ecc80e30741a2de (patch)
tree	86ab125ea133dd1b31b6a68a474d3427fb3714cb /app-admin/vaultwarden/files
parent	ae7da0aff6178d44dc3bbfad09aaa47b2d01a7cb (diff)
download	portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.tar.gz portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.tar.bz2 portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.zip