todo
This commit is contained in:
mwiegand
parent
b2b6f08b86
commit
00ffe8e8bc
1 changed files with 41 additions and 0 deletions
41
README.md
41
README.md
|
|
@ -12,3 +12,44 @@ Raspberry pi as soundcard
|
||||||
- gadget mode
|
- gadget mode
|
||||||
- OTG g_audio
|
- OTG g_audio
|
||||||
- https://audiosciencereview.com/forum/index.php?threads/raspberry-pi-as-usb-to-i2s-adapter.8567/post-215824
|
- https://audiosciencereview.com/forum/index.php?threads/raspberry-pi-as-usb-to-i2s-adapter.8567/post-215824
|
||||||
|
|
||||||
|
## systemd hardening
|
||||||
|
[Unit]
|
||||||
|
Description=TEST
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/opt/test
|
||||||
|
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectHome=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateNetwork=yes
|
||||||
|
PrivateUsers=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
RestrictAddressFamilies=none
|
||||||
|
RestrictFileSystems=ext4 tmpfs zfs
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
RemoveIPC=yes
|
||||||
|
PrivateMounts=yes
|
||||||
|
SystemCallFilter=
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
|
||||||
|
ReadOnlyPaths=/
|
||||||
|
|
||||||
|
NoExecPaths=/
|
||||||
|
ExecPaths=/opt/test /bin/bash /lib
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue