Add some security related directives to the systemd service example
This commit is contained in:
parent
945ce9910d
commit
0a58428de6
1 changed files with 10 additions and 0 deletions
|
@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID
|
|||
KillMode=process
|
||||
Restart=on-failure
|
||||
|
||||
; Some security directives.
|
||||
; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
|
||||
PrivateTmp=true
|
||||
; This makes /usr, /boot, /etc read-only.
|
||||
ProtectSystem=full
|
||||
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
|
||||
PrivateDevices=false
|
||||
; Ensures that the service process and all its children can never gain new privileges through execve()
|
||||
NoNewPrivileges=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in a new issue