diff --git a/advanced/Templates/pihole-FTL.systemd b/advanced/Templates/pihole-FTL.systemd index 6f321eff..5a2dcc8b 100644 --- a/advanced/Templates/pihole-FTL.systemd +++ b/advanced/Templates/pihole-FTL.systemd @@ -19,6 +19,7 @@ StartLimitIntervalSec=60s User=pihole PermissionsStartOnly=true AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN +# Prevents the pihole-FTL process from acquiring more capabilities then the following CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh @@ -31,13 +32,18 @@ ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh # Use graceful shutdown with a reasonable timeout TimeoutStopSec=10s +# Let the pihole-FTL process see a read-only view of /opt/pihole when TemporaryFileSystem= is +# hiding the content of /opt BindReadOnlyPaths=/opt/pihole +# Gives access to /etc/pihole ConfigurationDirectory=pihole LockPersonality=true +# Gives access to /var/log/pihole LogsDirectory=pihole NoNewPrivileges=true PrivateDevices=true PrivateIPC=true +# Gives pihole-FTL a private (0700), not shared, per-execution, tmp folder PrivateTmp=true ProtectClock=true ProtectControlGroups=true @@ -46,17 +52,23 @@ ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +# Hides processes owned by other users from pihole-FTL view ProtectProc=invisible +# Mount the entire file system as read-only. Write access to required folders is provided via +# {Configuration,Logs,Runtime}Directory= settings ProtectSystem=strict RemoveIPC=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true +# Gives access to /run/pihole, cleared when service is stopped RuntimeDirectory=pihole SystemCallArchitectures=native SystemCallFilter=@system-service +# Blacklist using the '~' character the @privileged syscall set SystemCallFilter=~@privileged +# Hides the content of the following folders, which may contain user data, from pihole-FTL view TemporaryFileSystem=/media /mnt /opt /run /srv /var [Install]