Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add SystemCallFilter=@system-service

Browse Source
pull/458/head
Carl Tashian 3 years ago
parent 2af73881d7
commit 9fd0964e1c
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File

3
systemd/step-ca.service
Unescape Escape View File

@ -30,6 +30,7 @@ SecureBits=keep-caps
NoNewPrivileges=yes
; Sandboxing
; This works with YubiKey PIV (via pcscd), and presumably with YubiHSM2 via http connector
ProtectSystem=full
ProtectHome=true
RestrictNamespaces=true
@ -44,8 +45,8 @@ LockPersonality=true
RestrictSUIDSGID=true
RemoveIPC=true
RestrictRealtime=true
; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2:
PrivateDevices=true
SystemCallFilter=@system-service
MemoryDenyWriteExecute=true
ReadWriteDirectories=/etc/step-ca/db

Write Preview
Loading…
Cancel
Save