-
Notifications
You must be signed in to change notification settings - Fork 0
/
fan_remote.service
77 lines (71 loc) · 2.22 KB
/
fan_remote.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
[Unit]
Description=Server to allow my fan to be turned off remotely
After=network.target
Wants=network.target
# NOTE: Remember to check this file after making changes:
# sudo ./install.sh; systemd-analyze security fan_remote.service
[Service]
Type=simple
ExecStart=/usr/local/bin/fan_remote -f2
#BindPaths=/dev/bus/usb
BindReadOnlyPaths=/usr/local/bin/fan_remote /usr/local/bin/pycm19a.py
CapabilityBoundingSet=
CPUQuota=20%
#DevicePolicy=closed
#DeviceAllow=char-usb/* char-usb_device/*
DynamicUser=yes
Environment=
#ExecPaths=/bin /usr/bin /usr/local/bin
IPAddressDeny=any
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
MemoryMax=512M
Nice=10
#NoExecPaths=/
NoNewPrivileges=yes
PassEnvironment=
#PrivateDevices=yes
PrivateIPC=yes
ProcSubset=pid
ProtectProc=invisible
PrivateMounts=yes
PrivateNetwork=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ReadOnlyPaths=/usr/bin/python3
ReadOnlyDirectories=/usr
RemoveIPC=yes
RestrictAddressFamilies=AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SocketBindDeny=any
SupplementaryGroups=dialout
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@chown @privileged @resources @setuid
StandardOutput=journal
TemporaryFileSystem=/usr/local:ro /usr/local/bin:ro
UMask=0077
# All irrelevant paths not covered by Private* options that the FHS says we
# should be able to rely on existing (systemd will error out if one doesn't)
InaccessiblePaths=/boot /media /mnt /opt /srv /usr/include /usr/share /usr/src /var
# Remaining `systemd-analyze security` concerns:
# - I haven't figured out what DeviceAllow I'm missing to get libusb to work
# with DevicePolicy=closed and PrivateDevices=yes
# - ProtectClock=yes would block libusb from working
# - RestrictAddressFamilies=AF_NETLINK is needed for libusb to work
# - RootDirectory/RootImage would require re-implementing pycm19a.py in Rust
# or building a container image with Python for cm19a.py to access X10.
# - SupplementaryGroups=dialout is what I permissioned the CM19A dev node to
[Install]
WantedBy=multi-user.target