Update release:

- Add Systemd user unit files - Security improvement to system units - Update the default config.json according to the manual
SagerNet · Jun 24, 2024 · 645060e · 645060e
1 parent 8a2d3fb
commit 645060e
Show file tree

Hide file tree

Showing 7 changed files with 148 additions and 43 deletions.
diff --git a/release/config/config.json b/release/config/config.json
@@ -1,7 +1,4 @@
 {
-  "log": {
-    "level": "info"
-  },
   "dns": {
     "servers": [
       {
@@ -11,29 +8,37 @@
   },
   "inbounds": [
     {
-      "type": "shadowsocks",
       "listen": "::",
       "listen_port": 8080,
-      "sniff": true,
-      "network": "tcp",
       "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
+      "multiplex": {
+        "enabled": true
+      },
+      "network": "tcp",
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "sniff": true,
+      "tcp_fast_open": true,
+      "tcp_multi_path": true,
+      "type": "shadowsocks"
     }
   ],
+  "log": {
+    "level": "info"
+  },
   "outbounds": [
     {
       "type": "direct"
     },
     {
-      "type": "dns",
-      "tag": "dns-out"
+      "tag": "dns-out",
+      "type": "dns"
     }
   ],
   "route": {
     "rules": [
       {
-        "protocol": "dns",
-        "outbound": "dns-out"
+        "outbound": "dns-out",
+        "protocol": "dns"
       }
     ]
   }

diff --git a/release/config/sing-box.service b/release/config/sing-box.service
diff --git a/release/config/[email protected] b/release/config/[email protected]
diff --git a/release/config/system/sing-box.service b/release/config/system/sing-box.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=sing-box service
+Documentation=https://sing-box.sagernet.org
+After=network.target nss-lookup.target network-online.target
+
+[Service]
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+ConfigurationDirectory=sing-box
+DynamicUser=true
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=full
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
diff --git a/release/config/system/[email protected] b/release/config/system/[email protected]
@@ -0,0 +1,38 @@
+[Unit]
+Description=sing-box service (%i)
+Documentation=https://sing-box.sagernet.org
+After=network.target nss-lookup.target network-online.target
+
+[Service]
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+ConfigurationDirectory=sing-box
+DynamicUser=true
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=full
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box-%i
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
+DefaultInstance=sing-box.service
diff --git a/release/config/user/sing-box.service b/release/config/user/sing-box.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=sing-box user service
+Documentation=https://sing-box.sagernet.org
+After=basic.target
+
+[Service]
+ConfigurationDirectory=sing-box
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectProc=noaccess
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=default.target
diff --git a/release/config/user/[email protected] b/release/config/user/[email protected]
@@ -0,0 +1,29 @@
+[Unit]
+Description=sing-box user service (%i)
+Documentation=https://sing-box.sagernet.org
+After=basic.target
+
+[Service]
+ConfigurationDirectory=sing-box
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectProc=noaccess
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box-%i
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=default.target
+DefaultInstance=sing-box.service