mail-mta/postfix: add systemd hardening

Package-Manager: portage-2.2.28
author: Richard Freeman <rich0@gentoo.org> 2016-08-13 17:03:55 -0400
committer: Richard Freeman <rich0@gentoo.org> 2016-08-13 17:03:55 -0400
commit: 80f094370d5e5c11c8f5eb3bde48710403309261 (patch)
tree: bead7a1f1eb8f090bc207cf7f6469a9bc345ce55 /mail-mta/postfix/files
parent: www-servers/apache: add systemd hardening (diff)
download: gentoo-80f094370d5e5c11c8f5eb3bde48710403309261.tar.gz
gentoo-80f094370d5e5c11c8f5eb3bde48710403309261.tar.bz2
gentoo-80f094370d5e5c11c8f5eb3bde48710403309261.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/mail-mta/postfix/files/postfix.service b/mail-mta/postfix/files/postfix.service
index d3d4804138b9..eddd5507ba8e 100644
--- a/mail-mta/postfix/files/postfix.service
+++ b/mail-mta/postfix/files/postfix.service
@@ -8,6 +8,12 @@ ExecStartPre=-/usr/bin/newaliases
 ExecStart=/usr/sbin/postfix start
 ExecStop=/usr/sbin/postfix stop
 ExecReload=/usr/sbin/postfix reload
+# Hardening
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
+MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
author	Richard Freeman <rich0@gentoo.org>	2016-08-13 17:03:55 -0400
committer	Richard Freeman <rich0@gentoo.org>	2016-08-13 17:03:55 -0400
commit	80f094370d5e5c11c8f5eb3bde48710403309261 (patch)
tree	bead7a1f1eb8f090bc207cf7f6469a9bc345ce55 /mail-mta/postfix/files
parent	www-servers/apache: add systemd hardening (diff)
download	gentoo-80f094370d5e5c11c8f5eb3bde48710403309261.tar.gz gentoo-80f094370d5e5c11c8f5eb3bde48710403309261.tar.bz2 gentoo-80f094370d5e5c11c8f5eb3bde48710403309261.zip