Hardening systemd pcscd.service file

See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html The exposure level was: $ systemd-analyze security pcscd.service [...] → Overall exposure level for pcscd.service: 9.6 UNSAFE 😨 And we now have: $ systemd-analyze security pcscd.service [...] → Overall exposure level for pcscd.service: 2.1 OK 🙂 Thanks to David Fields for the initial patch "systemd service hardening for pcscd" LudovicRousseau/PCSC#207
LudovicRousseau · Feb 4, 2025 · abcfeae · abcfeae
1 parent f0f4fa1
commit abcfeae
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/etc/pcscd.service.in b/etc/pcscd.service.in
@@ -8,5 +8,39 @@ ExecStart=@sbindir_exp@/pcscd --foreground --auto-exit $PCSCD_ARGS
 ExecReload=@sbindir_exp@/pcscd --hotplug
 EnvironmentFile=-@sysconfdir@/default/pcscd
 
+# Paths
+ProtectProc=invisible
+
+# Capabilities
+CapabilityBoundingSet=
+
+# Security
+NoNewPrivileges=yes
+
+# Process Properties
+UMask=0077
+
+# Sandboxing
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+# System Call Filtering
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+SystemCallArchitectures=native
+
 [Install]
 Also=pcscd.socket