Apply hardening measurements in bitcoind systemd service file

Adds typical systemd hardening measurements for network services.
author: Florian Schmaus <[email protected]> 2018-01-06 18:56:13 +0100
committer: Florian Schmaus <[email protected]> 2018-03-14 08:11:07 +0100
commit: 79ddfad486da002c76cf1909800066374ba07c9a (patch)
tree: 6cde529a632951fb9c6956105dece0f14488a06c
parent: Merge #9680: Unify CWalletTx construction (diff)
download: discoin-79ddfad486da002c76cf1909800066374ba07c9a.tar.xz
discoin-79ddfad486da002c76cf1909800066374ba07c9a.zip
1 files changed, 19 insertions, 0 deletions
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index ee113d761..877abafd1 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -19,7 +19,26 @@ User=bitcoin
 Type=forking
 PIDFile=/run/bitcoind/bitcoind.pid
 Restart=on-failure
+
+# Hardening measures
+####################
+
+# Provide a private /tmp and /var/tmp.
 PrivateTmp=true
 
+# Mount /usr, /boot/ and /etc read-only for the process.
+ProtectSystem=full
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
+NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
+PrivateDevices=true
+
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
 [Install]
 WantedBy=multi-user.target
author	Florian Schmaus <[email protected]>	2018-01-06 18:56:13 +0100
committer	Florian Schmaus <[email protected]>	2018-03-14 08:11:07 +0100
commit	79ddfad486da002c76cf1909800066374ba07c9a (patch)
tree	6cde529a632951fb9c6956105dece0f14488a06c
parent	Merge #9680: Unify CWalletTx construction (diff)
download	discoin-79ddfad486da002c76cf1909800066374ba07c9a.tar.xz discoin-79ddfad486da002c76cf1909800066374ba07c9a.zip