taler-rust

GNU Taler code in Rust. Largely core banking integrations.
Log | Files | Refs | Submodules | README | LICENSE
commit 55a1921f0e23c18e08293ddba4e89071d0e9fd08
parent 09c0299036ca844ff2bd0d77c97ddb15581155cb
Author: Antoine A <>
Date:   Wed, 19 Nov 2025 15:14:54 +0100

magnet-bank: systemd services hardening

Diffstat:

Mdebian/taler-magnet-bank.taler-magnet-bank-httpd.service | 14+++++++++++++-


Mdebian/taler-magnet-bank.taler-magnet-bank-worker.service | 14+++++++++++++-


2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/debian/taler-magnet-bank.taler-magnet-bank-httpd.service b/debian/taler-magnet-bank.taler-magnet-bank-httpd.service
@@ -24,11 +24,23 @@ StartLimitInterval=5s
 
 ExecStart=/usr/bin/taler-magnet-bank serve -c /etc/taler-magnet-bank/taler-magnet-bank.conf
 ExecCondition=/usr/bin/taler-magnet-bank serve -c /etc/taler-magnet-bank/taler-magnet-bank.conf --check
+
 StandardOutput=journal
 StandardError=journal
+
 PrivateTmp=yes
-PrivateDevices=yes
 ProtectSystem=full
+ProtectHome=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+PrivateDevices=yes
+NoNewPrivileges=yes
+
 Slice=taler-magnet-bank.slice
 
 [Install]
diff --git a/debian/taler-magnet-bank.taler-magnet-bank-worker.service b/debian/taler-magnet-bank.taler-magnet-bank-worker.service
@@ -22,11 +22,23 @@ StartLimitBurst=5
 StartLimitInterval=5s
 
 ExecStart=/usr/bin/taler-magnet-bank worker -c /etc/taler-magnet-bank/taler-magnet-bank.conf
+
 StandardOutput=journal
 StandardError=journal
+
 PrivateTmp=yes
-PrivateDevices=yes
 ProtectSystem=full
+ProtectHome=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+PrivateDevices=yes
+NoNewPrivileges=yes
+
 Slice=taler-magnet-bank.slice
 
 [Install]