cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

todo

Browse source
This commit is contained in:
mwiegand 2022-03-26 14:11:22 +01:00
parent 00ffe8e8bc
commit 5ab169efe0
2 changed files with 40 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
README.md
View file

@ -12,44 +12,3 @@ Raspberry pi as soundcard
- gadget mode
- OTG g_audio
- https://audiosciencereview.com/forum/index.php?threads/raspberry-pi-as-usb-to-i2s-adapter.8567/post-215824
## systemd hardening
[Unit]
Description=TEST
[Service]
Type=oneshot
ExecStart=/opt/test
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=none
RestrictFileSystems=ext4 tmpfs zfs
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
PrivateMounts=yes
SystemCallFilter=
SystemCallArchitectures=native
CapabilityBoundingSet=
ReadOnlyPaths=/
NoExecPaths=/
ExecPaths=/opt/test /bin/bash /lib
[Install]
WantedBy=multi-user.target

40
test.service Normal file
View file

@ -0,0 +1,40 @@
[Unit]
Description=TEST
[Service]
Type=oneshot
ExecStart=/opt/test
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=none
RestrictFileSystems=ext4 tmpfs zfs
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
PrivateMounts=yes
SystemCallFilter=
SystemCallArchitectures=native
CapabilityBoundingSet=
ProtectProc=invisible
ReadOnlyPaths=/
NoExecPaths=/
ExecPaths=/opt/test /bin/bash /lib
[Install]
WantedBy=multi-user.target