mirror of
https://github.com/whyvl/wireproxy.git
synced 2025-04-29 19:01:42 +02:00
4f066d050a
wireproxy needs very little permissions, we can restrict it to basically nothing. DynamicUser means the system will generate a UID on demand for service, also CAP_NET_BIND_SERVICE can be used to allow this user to bind to a port < 1024 if desired. Also LoadCredential lets us read a file with tight permissions i.e. root:root 0400 and pass it to only wireproxy in an ephemeral and constrained manner. Signed-off-by: J. Dekker <jdek@itanimul.li>
46 lines
1.1 KiB
Desktop File
46 lines
1.1 KiB
Desktop File
[Unit]
|
|
Description=Wireproxy socks5/http tunnel
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
User=wireproxy
|
|
Group=wireproxy
|
|
SyslogIdentifier=wireproxy
|
|
Type=simple
|
|
Restart=on-failure
|
|
RestartSec=30s
|
|
|
|
DynamicUser=yes
|
|
LoadCredential=conf:/etc/wireproxy.conf
|
|
ExecStartPre=/opt/wireproxy/wireproxy -n -c ${CREDENTIALS_DIRECTORY}/conf
|
|
ExecStart=/opt/wireproxy/wireproxy -c ${CREDENTIALS_DIRECTORY}/conf
|
|
|
|
# Required if <1024 port
|
|
#AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
LimitNPROC=64
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
PrivateTmp=true
|
|
PrivateUsers=true
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|