I take advantage of syncthing for backups and information sync. In Linux, I run it by way of a systemd hardened unit, limiting what directories the method can learn, entry to privileged kernel ops and, most essential, I prohibit TCP/UDP visitors to a specific subnet, to make sure no information egress occurs.
I am putting in it on a Mac laptop computer by way of Brew which makes use of launchd to run it, the file is that this one:
KeepAlive
Label
homebrew.mxcl.syncthing
LimitLoadToSessionType
Aqua
Background
LoginWindow
StandardIO
System
ProgramArguments
/decide/homebrew/decide/syncthing/bin/syncthing
-no-browser
-no-restart
RunAtLoad
StandardErrorPath
/decide/homebrew/var/log/syncthing.log
StandardOutPath
/decide/homebrew/var/log/syncthing.log
I’ve executed some analysis and I couldn’t discovered a technique to harden safety. I can stay with out information and privileged entry restrictions, however I might like to make sure no information egress occurs. Is that this attainable?
Notice: tried sandbox-exec, but it surely doesn’t assist IP addresses (error: sandbox-exec: host have to be * or localhost in community deal with)
