Improve security of systemd service rest-server.service by restricting network access #246
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is the purpose of this change? What does it change?
Improve security of rest-server.service by restricting network access.
This patch improves the overall security assessment score given by
systemd-analyze security rest-server.service
from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253)Remove
AF_INET AF_INET6
from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page.Add
PrivateNetwork=yes
as recommended for socket-activated services in the systemd.socket man page.Add dependency on rest-server.socket
Was the change discussed in an issue or in the forum before?
Yes, in the forum:
https://forum.restic.net/t/using-none-instead-of-af-inet-af-inet6-for-restrictaddressfamilies-in-systemd-unit-rest-server-service/6448
Checklist
changelog/unreleased/
that describes the changes for our users (template here)gofmt
on the code in all commits