From 824d807f2447ba56a2e595348cb1d636ecdd66e6 Mon Sep 17 00:00:00 2001 From: yingziwu Date: Tue, 6 Sep 2022 15:15:24 +0800 Subject: [PATCH] Security hardening --- release/config/sing-box.service | 38 +++++++++++++++++++++++++++++--- release/config/sing-box@.service | 38 +++++++++++++++++++++++++++++--- 2 files changed, 70 insertions(+), 6 deletions(-) diff --git a/release/config/sing-box.service b/release/config/sing-box.service index 6369b1ba..41ce3eb4 100644 --- a/release/config/sing-box.service +++ b/release/config/sing-box.service @@ -4,12 +4,44 @@ Documentation=https://sing-box.sagernet.org After=network.target nss-lookup.target [Service] -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json Restart=on-failure RestartSec=10s -LimitNOFILE=infinity +TimeoutStopSec=10s + +LimitNOFILE=1048576 +LimitNPROC=512 + +DynamicUser=yes +CacheDirectory=sing-box +WorkingDirectory=/var/cache/sing-box +StateDirectory=sing-box +Environment=XDG_DATA_HOME=/var/lib/sing-box + +# Hardening options +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +DevicePolicy=closed +LockPersonality=true +MemoryAccounting=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true [Install] WantedBy=multi-user.target diff --git a/release/config/sing-box@.service b/release/config/sing-box@.service index e12a46e1..44af4597 100644 --- a/release/config/sing-box@.service +++ b/release/config/sing-box@.service @@ -4,12 +4,44 @@ Documentation=https://sing-box.sagernet.org After=network.target nss-lookup.target [Service] -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json Restart=on-failure RestartSec=10s -LimitNOFILE=infinity +TimeoutStopSec=10s + +LimitNOFILE=1048576 +LimitNPROC=512 + +DynamicUser=yes +CacheDirectory=sing-box +WorkingDirectory=/var/cache/sing-box +StateDirectory=sing-box +Environment=XDG_DATA_HOME=/var/lib/sing-box + +# Hardening options +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +DevicePolicy=closed +LockPersonality=true +MemoryAccounting=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true [Install] WantedBy=multi-user.target