From: Christian Hesse <m...@eworm.de>
ProtectSystem=true mounts the /usr and /boot directories read-only.
ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.
See systemd.exec(5) [0] for details.
v2: Replace ProtectSystem=strict with ProtectSystem=true. Some configurations
may want to write to /etc or the like.
[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Signed-off-by: Christian Hesse <m...@eworm.de>
---
distro/systemd/openvpn-client@.service | 2 ++
distro/systemd/openvpn-server@.service | 2 ++
2 files changed, 4 insertions(+)
diff --git a/distro/systemd/openvpn-client@.service
b/distro/systemd/openvpn-client@.service
index 5618af3..b92f2fa 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW
CAP_SETGID CAP_SETU
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
[Install]
WantedBy=multi-user.target
diff --git a/distro/systemd/openvpn-server@.service
b/distro/systemd/openvpn-server@.service
index b9b4dba..535a79d 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
CAP_NET_BIND_SERVICE CAP_NET_RA
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
[Install]
WantedBy=multi-user.target
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
