mail-mta/postfix: additional systemd hardening

Other distributions are doing the same thing, and these additions are recommended by systemd. See https://lwn.net/Articles/709755/ (cherry picked from commit 388f5cae8b89039f285a66651bc70d662a9d8e57) Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Fixes: https://github.com/gentoo/gentoo/pull/3629
author: Craig Andrews <candrews@integralblue.com> 2017-01-24 12:39:20 -0500
committer: Robin H. Johnson <robbat2@gentoo.org> 2017-01-29 15:46:19 -0800
commit: 6d1bfd687106fcb4a75e0d225d77153f2b9c581d (patch)
tree: 2c2edc7e66f813f2019fb34b17710d8007f99ea3
parent: kde-plasma/kde-gtk-config: Restrict tests for now (diff)
download: gentoo-6d1bfd687106fcb4a75e0d225d77153f2b9c581d.tar.gz
gentoo-6d1bfd687106fcb4a75e0d225d77153f2b9c581d.tar.bz2
gentoo-6d1bfd687106fcb4a75e0d225d77153f2b9c581d.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/mail-mta/postfix/files/postfix.service b/mail-mta/postfix/files/postfix.service
index 585849e978b3..db585b3e29db 100644
--- a/mail-mta/postfix/files/postfix.service
+++ b/mail-mta/postfix/files/postfix.service
@@ -15,6 +15,12 @@ ProtectSystem=full
 ReadWritePaths=-/etc/mail/aliases.db
 CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
 MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
 
 [Install]
 WantedBy=multi-user.target
author	Craig Andrews <candrews@integralblue.com>	2017-01-24 12:39:20 -0500
committer	Robin H. Johnson <robbat2@gentoo.org>	2017-01-29 15:46:19 -0800
commit	6d1bfd687106fcb4a75e0d225d77153f2b9c581d (patch)
tree	2c2edc7e66f813f2019fb34b17710d8007f99ea3
parent	kde-plasma/kde-gtk-config: Restrict tests for now (diff)
download	gentoo-6d1bfd687106fcb4a75e0d225d77153f2b9c581d.tar.gz gentoo-6d1bfd687106fcb4a75e0d225d77153f2b9c581d.tar.bz2 gentoo-6d1bfd687106fcb4a75e0d225d77153f2b9c581d.zip