add some hardening options to systemd unit

author Jan Palus <atler@pld-linux.org>

Mon, 28 Aug 2023 15:48:59 +0000 (17:48 +0200)

committer Jan Palus <atler@pld-linux.org>

Mon, 28 Aug 2023 15:48:59 +0000 (17:48 +0200)
author Jan Palus <atler@pld-linux.org>
Mon, 28 Aug 2023 15:48:59 +0000 (17:48 +0200)
committer Jan Palus <atler@pld-linux.org>
Mon, 28 Aug 2023 15:48:59 +0000 (17:48 +0200)
diff --git a/mosquitto.service b/mosquitto.service

index f04a0654b3842b5d418571c37a44f04f8d4fc629..bcc123034797b0c0b8f4ecd2d69c0c04883d4620 100644 (file)
--- a/mosquitto.service
+++ b/mosquitto.service
@@ -12,6 +12,13 @@ Group=mosquitto
  ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
  ExecReload=/bin/kill -HUP $MAINPID
  Restart=on-failure
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectHome=yes
+ProtectProc=invisible
+ProtectSystem=yes
+RestrictNamespaces=yes
  
  [Install]
  WantedBy=multi-user.target
author	Jan Palus <atler@pld-linux.org>
	Mon, 28 Aug 2023 15:48:59 +0000 (17:48 +0200)
committer	Jan Palus <atler@pld-linux.org>
	Mon, 28 Aug 2023 15:48:59 +0000 (17:48 +0200)