Merge branch 'sandbox' into 'master'

[systemd] Sandbox the udhcpd service. JB#37897 JB#44449 See merge request mer-core/busybox!11
sailfishos · Feb 6, 2020 · 62acbd5 · 62acbd5
2 parents a30fbde + 708755d
commit 62acbd5
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/rpm/udhcpd.service b/rpm/udhcpd.service
@@ -6,3 +6,9 @@ Conflicts=shutdown.target
 
 [Service]
 ExecStart=/usr/sbin/udhcpd -f
+# Sandboxing
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_NET_RAW
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full