[Pkg-kde-extras] Bug#987648: quassel-core: Add hardening options to service file
Christian Göttsche
cgzones at googlemail.com
Fri Apr 11 09:23:32 BST 2025
I am currently running the following hardening settings:
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProcSubset=pid
ProtectSystem=strict
StateDirectory=quassel
LogsDirectory=quassel
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallFilter=@system-service
CapabilityBoundingSet=
p.s.:
Additionally I am also building quassl with Control Flow Integrity
enabled, see https://salsa.debian.org/qt-kde-team/extras/quassel/-/merge_requests/12
More information about the pkg-kde-extras
mailing list