From 2066b53dde54eeec8c477b85c70c0808ec81b9df Mon Sep 17 00:00:00 2001 From: Scott Laird Date: Sun, 3 Aug 2025 10:50:01 -0700 Subject: [PATCH] Add restart and security to systemd unit file --- resources/systemd/system/comentario.service | 42 ++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/resources/systemd/system/comentario.service b/resources/systemd/system/comentario.service index 6b7e1c10..7ca522af 100644 --- a/resources/systemd/system/comentario.service +++ b/resources/systemd/system/comentario.service @@ -3,9 +3,49 @@ Description=Comentario After=network.target [Service] -Type=simple +Type=exec EnvironmentFile=/etc/comentario/comentario.conf ExecStart=/usr/bin/comentario -v +Restart=always + +# Security customization, restricting what Comentario is allowed +# to do. See `systemd-analyze security comentario` for more +# details. These are enough to drop the "exposure level" from +# 9.6 to 3.9, for whatever that's worth. +CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) +CapabilityBoundingSet=~CAP_AUDIT_* +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND +CapabilityBoundingSet=~CAP_KILL +CapabilityBoundingSet=~CAP_NET_ADMIN +CapabilityBoundingSet=~CAP_SYS_BOOT +CapabilityBoundingSet=~CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_SYS_TIME +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=true +PrivateTmp=yes +PrivateUsers=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=true +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=full +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallFilter=~@clock +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@swap [Install] WantedBy=multi-user.target -- GitLab