From 4f0d2f55e141760b768a735dfbf89d5ed4327bd3 Mon Sep 17 00:00:00 2001 From: phil Date: Sat, 25 Feb 2023 20:32:51 +0100 Subject: [PATCH] Add more hardening options --- templates/systemd/php-fpm@.service | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/templates/systemd/php-fpm@.service b/templates/systemd/php-fpm@.service index b9154c7..295b0de 100644 --- a/templates/systemd/php-fpm@.service +++ b/templates/systemd/php-fpm@.service @@ -26,18 +26,29 @@ RestartSec=30s # Hardening # https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in +LockPersonality=true +NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProtectClock=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true -ProtectSystem=full +ProtectSystem=strict RestrictRealtime=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictNamespaces=true -SystemCallFilter=@system-service +SystemCallArchitectures=native SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service + +ReadWritePaths=-/var/log/ +ReadWritePaths=-{{ php_fpm_log_dir }} +ReadWritePaths=-/var/run/ +ReadWritePaths=-/run/ +InaccessiblePaths=-/root/ +RuntimeDirectory=php +RuntimeDirectoryPreserve=yes [Install] WantedBy=multi-user.target