tailscaled.service: Harden systemd unit somewhat (#1062)

While not a full capability lockdown of the systemd unit, this still
improves sandboxing and security of the running process a good deal.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
pull/1069/head
Frederik “Freso” S. Olesen 4 years ago committed by GitHub
parent 1a42cef3a2
commit a9a80ab372
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -20,5 +20,16 @@ CacheDirectory=tailscale
CacheDirectoryMode=0750 CacheDirectoryMode=0750
Type=notify Type=notify
LockPersonality=true
MemoryDenyWriteExecute=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/etc/
RestrictSUIDSGID=true
SystemCallArchitectures=native
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

Loading…
Cancel
Save