What systemd security features should be used for ats?
Ref:
http://0pointer.de/blog/projects/security.html
I would suggest:
o "PrivateTmp=yes" to give the service a private /tmp.
o "InaccessibleDirectories=/home /root /boot" to completely
hide these.
o "ReadOnlyDirectories=/usr /bin /sbin /lib /lib64 /opt" to
make sure ATS never can change any binaries.
o "CapabilityBoundingSet=~CAP_SYS_PTRACE" to disable traffic_cop from
tracing other processes? Other capabilities that should be dropped ?
http://linux.die.net/man/7/capabilities
Too strict ? Any comments?
-jf
