chunyu/sing-box
1
0
Fork 0
mirror of https://github.com/SagerNet/sing-box.git synced 2025-06-08 11:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Security hardening

Browse Source
This commit is contained in:
yingziwu 2022-09-06 15:15:24 +08:00 committed by GitHub
parent 8f8437a88d
commit 824d807f24
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 70 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
release/config/sing-box.service
View File

@ -4,12 +4,44 @@ Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target After=network.target nss-lookup.target
[Service] [Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json
Restart=on-failure Restart=on-failure
RestartSec=10s RestartSec=10s
LimitNOFILE=infinity TimeoutStopSec=10s
LimitNOFILE=1048576
LimitNPROC=512
DynamicUser=yes
CacheDirectory=sing-box
WorkingDirectory=/var/cache/sing-box
StateDirectory=sing-box
Environment=XDG_DATA_HOME=/var/lib/sing-box
# Hardening options
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

38
release/config/sing-box@.service
View File

@ -4,12 +4,44 @@ Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target After=network.target nss-lookup.target
[Service] [Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json
Restart=on-failure Restart=on-failure
RestartSec=10s RestartSec=10s
LimitNOFILE=infinity TimeoutStopSec=10s
LimitNOFILE=1048576
LimitNPROC=512
DynamicUser=yes
CacheDirectory=sing-box
WorkingDirectory=/var/cache/sing-box
StateDirectory=sing-box
Environment=XDG_DATA_HOME=/var/lib/sing-box
# Hardening options
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target