Merge pull request #246 from eriksjolund/adjust_restrict_address_families

Improve security of systemd service rest-server.service by restricting network access
2025-12-07 09:36:13 -08:00 · 2023-07-23 12:16:34 +02:00
parent c38e18b708 ec2ce8cd27
commit 0bb8cd41d1
1 changed files with 8 additions and 4 deletions
--- a/examples/systemd/rest-server.service
+++ b/examples/systemd/rest-server.service
@@ -2,9 +2,8 @@
 Description=Rest Server
 After=syslog.target
 After=network.target
-
+Requires=rest-server.socket
-# if you want to use socket activation, make sure to require the socket here
+After=rest-server.socket
 #Requires=rest-server.socket
 [Service]
 Type=simple
@@ -37,6 +36,11 @@ CapabilityBoundingSet=
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=yes
 # As the listen socket is created by systemd via the rest-server.socket unit, it is
 # no longer necessary for rest-server to have access to the host network namespace.
 PrivateNetwork=yes
 PrivateTmp=yes
 PrivateDevices=true
 PrivateUsers=true
@@ -51,7 +55,7 @@ ProtectProc=invisible
 ProtectHostname=true
 RemoveIPC=true
 RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
 RestrictSUIDSGID=true
 RestrictRealtime=true
 # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host