diff options
author | Marcin Deranek <marcin.deranek@slonko.net> | 2024-03-04 09:20:10 +0100 |
---|---|---|
committer | Marcin Deranek <marcin.deranek@slonko.net> | 2024-03-04 09:38:48 +0100 |
commit | 3dddbef6f8f3360e5401be880ecc80e30741a2de (patch) | |
tree | 86ab125ea133dd1b31b6a68a474d3427fb3714cb /app-admin/vaultwarden/files | |
parent | ae7da0aff6178d44dc3bbfad09aaa47b2d01a7cb (diff) | |
download | portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.tar.gz portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.tar.bz2 portage-3dddbef6f8f3360e5401be880ecc80e30741a2de.zip |
app-admin/vaultwarden tighten security
Diffstat (limited to 'app-admin/vaultwarden/files')
-rw-r--r-- | app-admin/vaultwarden/files/vaultwarden.service | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service index 12ba0d4..4b6cbfc 100644 --- a/app-admin/vaultwarden/files/vaultwarden.service +++ b/app-admin/vaultwarden/files/vaultwarden.service @@ -4,34 +4,47 @@ Documentation=https://github.com/dani-garcia/vaultwarden After=network.target mariadb.service mysqld.service postgresql.service [Service] +ExecStart=/usr/bin/vaultwarden +WorkingDirectory=/var/lib/vaultwarden User=vaultwarden Group=vaultwarden -Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" -EnvironmentFile=/etc/vaultwarden.env -ExecStart=/usr/bin/vaultwarden + +# Allow vaultwarden to bind ports in the range of 0-1024 +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +NoNewPrivileges=yes LimitNOFILE=1048576 -LimitNPROC=256 +UMask=0077 +LimitNPROC=64 +ProtectSystem=strict +ProtectHome=true +ReadWriteDirectories=/var/lib/vaultwarden +PrivateUsers=yes PrivateTmp=true PrivateDevices=true -ProtectHome=true -ProtectSystem=strict +ProtectHostname=yes +ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectControlGroups=yes - +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes -SystemCallArchitectures=native SystemCallFilter=@system-service -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native -WorkingDirectory=/var/lib/vaultwarden -ReadWriteDirectories=/var/lib/vaultwarden -# Allow vaultwarden to bind ports in the range of 0-1024 -AmbientCapabilities=CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_NET_BIND_SERVICE +Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" +EnvironmentFile=/etc/vaultwarden.env [Install] WantedBy=multi-user.target |