Add some security related directives to the systemd service example
This commit is contained in:
parent
945ce9910d
commit
0a58428de6
|
@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|
||||||
|
; Some security directives.
|
||||||
|
; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
|
||||||
|
PrivateTmp=true
|
||||||
|
; This makes /usr, /boot, /etc read-only.
|
||||||
|
ProtectSystem=full
|
||||||
|
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
|
||||||
|
PrivateDevices=false
|
||||||
|
; Ensures that the service process and all its children can never gain new privileges through execve()
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
Loading…
Reference in a new issue