Package: geoipupdate
Version: 4.6.0-1
Dear Maintainer,
thanks for including a systemd service for a weekly update run.
I used a similar service already and were running with several
hardening options.
Please consider adding them.
Best regards,
Christian Göttsche
# hardening options
# details: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
# no PrivateNetwork
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=true
PrivateTmp=true
ProtectClock=yes
ProtectControlGroups=true
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=true
ProtectKernelTunables=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/GeoIP/
RestrictNamespaces=yes
RestrictRealtime=true
SystemCallFilter=
