From 64df26ff8a932449e37c96bb8592b602e22937f9 Mon Sep 17 00:00:00 2001 From: Azalea <22280294+hykilpikonna@users.noreply.github.com> Date: Sat, 15 Mar 2025 10:13:03 -0400 Subject: [PATCH 1/2] Secure iperf3 systemd service --- contrib/iperf3.service | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/contrib/iperf3.service b/contrib/iperf3.service index e9cf47aa8..2c8b1f3eb 100644 --- a/contrib/iperf3.service +++ b/contrib/iperf3.service @@ -5,6 +5,23 @@ Requires=network.target [Service] ExecStart=/usr/bin/iperf3 -s Restart=on-failure +User=nobody + +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +DevicePolicy=closed +ProtectSystem=strict +ProtectHome=read-only +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes [Install] WantedBy=multi-user.target From 8798105b0fd2f720378ae8e6aed0eedd07191ad7 Mon Sep 17 00:00:00 2001 From: Azalea <22280294+hykilpikonna@users.noreply.github.com> Date: Mon, 30 Mar 2026 14:28:23 -0400 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Johannes Larsen Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- contrib/iperf3.service | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/contrib/iperf3.service b/contrib/iperf3.service index 2c8b1f3eb..6806745c3 100644 --- a/contrib/iperf3.service +++ b/contrib/iperf3.service @@ -5,12 +5,11 @@ Requires=network.target [Service] ExecStart=/usr/bin/iperf3 -s Restart=on-failure -User=nobody +DynamicUser=yes NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes -DevicePolicy=closed ProtectSystem=strict ProtectHome=read-only ProtectControlGroups=yes