todo
This commit is contained in:
mwiegand
parent
00ffe8e8bc
commit
5ab169efe0
2 changed files with 40 additions and 41 deletions
41
README.md
41
README.md
|
|
@ -12,44 +12,3 @@ Raspberry pi as soundcard
|
||||||
- gadget mode
|
- gadget mode
|
||||||
- OTG g_audio
|
- OTG g_audio
|
||||||
- https://audiosciencereview.com/forum/index.php?threads/raspberry-pi-as-usb-to-i2s-adapter.8567/post-215824
|
- https://audiosciencereview.com/forum/index.php?threads/raspberry-pi-as-usb-to-i2s-adapter.8567/post-215824
|
||||||
|
|
||||||
## systemd hardening
|
|
||||||
[Unit]
|
|
||||||
Description=TEST
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/opt/test
|
|
||||||
|
|
||||||
ProtectSystem=strict
|
|
||||||
ProtectHome=yes
|
|
||||||
PrivateTmp=yes
|
|
||||||
PrivateDevices=yes
|
|
||||||
PrivateNetwork=yes
|
|
||||||
PrivateUsers=yes
|
|
||||||
ProtectHostname=yes
|
|
||||||
ProtectClock=yes
|
|
||||||
ProtectKernelTunables=yes
|
|
||||||
ProtectKernelModules=yes
|
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectControlGroups=yes
|
|
||||||
RestrictAddressFamilies=none
|
|
||||||
RestrictFileSystems=ext4 tmpfs zfs
|
|
||||||
RestrictNamespaces=yes
|
|
||||||
LockPersonality=yes
|
|
||||||
MemoryDenyWriteExecute=yes
|
|
||||||
RestrictRealtime=yes
|
|
||||||
RestrictSUIDSGID=yes
|
|
||||||
RemoveIPC=yes
|
|
||||||
PrivateMounts=yes
|
|
||||||
SystemCallFilter=
|
|
||||||
SystemCallArchitectures=native
|
|
||||||
CapabilityBoundingSet=
|
|
||||||
|
|
||||||
ReadOnlyPaths=/
|
|
||||||
|
|
||||||
NoExecPaths=/
|
|
||||||
ExecPaths=/opt/test /bin/bash /lib
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
|
|
||||||
40
test.service
Normal file
40
test.service
Normal file
|
|
@ -0,0 +1,40 @@
|
||||||
|
[Unit]
|
||||||
|
Description=TEST
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/opt/test
|
||||||
|
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectHome=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateNetwork=yes
|
||||||
|
PrivateUsers=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
RestrictAddressFamilies=none
|
||||||
|
RestrictFileSystems=ext4 tmpfs zfs
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
RemoveIPC=yes
|
||||||
|
PrivateMounts=yes
|
||||||
|
SystemCallFilter=
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
ProtectProc=invisible
|
||||||
|
|
||||||
|
ReadOnlyPaths=/
|
||||||
|
|
||||||
|
NoExecPaths=/
|
||||||
|
ExecPaths=/opt/test /bin/bash /lib
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
Loading…
Reference in a new issue