Forums » Tutorial and setups »
systemd hardened unit file
Added by Martin Bednar over 8 years ago
In my spree to tighten down rights of long running daemons on my system, I came up with the following systemd unit file :
[Unit] Description=tvheadend After=network.target [Service] User=tvheadend Group=video Type=simple PIDFile=/run/tvheadend/tvheadend.pid ExecStart=/usr/bin/tvheadend -p /run/tvheadend/tvheadend.pid -C -c /etc/tvheadend ExecStop=/bin/kill -QUIT $MAINPID Restart=always RestartSec=5 # Hardening PrivateTmp=yes DeviceAllow=char-DVB DevicePolicy=closed ReadWriteDirectories=/mnt/local/record /etc/tvheadend ProtectSystem=full ProtectHome=yes NoNewPrivileges=yes [Install] WantedBy=multi-user.target
What this does, is prevent tvheadend from accessing other device nodes than those related to DVB, doesn't allow it to write (almost) anywhere in the system except its config and a folder for recordings. tvheadend also doesn't start as root anymore.
This is tested with current tvheadend git, systemd-229 and linux-4.5, and only dvb.
If you try it, and find issues, please share!
Serafean.
Bonus tip :
If you want tvheadend to bind to ports < 1024, add
CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICEto the service section (untested).
Replies (1)
RE: systemd hardened unit file - Added by Martin Bednar almost 8 years ago
Update :
Added more lockdown options.
Allowed access to DRM devices (should enable hw acclerated transcoding)
[Unit] Description=tvheadend After=network.target [Service] User=tvheadend Group=video Type=simple PIDFile=/run/tvheadend/tvheadend.pid ExecStart=/usr/bin/tvheadend -6 -p /run/tvheadend/tvheadend.pid -C -c /etc/tvheadend ExecReload=/bin/kill -HUP $MAINPID ExecStop=/bin/kill -QUIT $MAINPID Restart=always RestartSec=5 # Hardening PrivateTmp=yes ProtectKernelTunables = yes ProtectControlGroups = yes ProtectKernelModules = yes DeviceAllow=char-DVB rw DeviceAllow=char-drm rw DevicePolicy=closed ReadWriteDirectories=/etc/tvheadend RuntimeDirectory=tvheadend ProtectSystem=strict ProtectHome=yes NoNewPrivileges=yes [Install] WantedBy=multi-user.target
you will need to add your recordings directory to ReadWriteDirectories entry.
Tested using systemd 232 and linux 4.8.12.
hw encoding doesn't work on my system, so any feedback on that would be welcome.