[systemd] Sandbox the udhcpd service. JB#37897 JB#44449

sailfishos · Feb 5, 2020 · 708755d · 708755d
1 parent a30fbde
commit 708755d
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/rpm/udhcpd.service b/rpm/udhcpd.service
@@ -6,3 +6,9 @@ Conflicts=shutdown.target
 
 [Service]
 ExecStart=/usr/sbin/udhcpd -f
+# Sandboxing
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_NET_RAW
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full