forked from AkkomaGang/akkoma
Add NoNewPrivileges to systemd service file for source installs
This setting already exists in the OTP installation directory, but doesn't for the one used by source installs.
This commit is contained in:
parent
166ddebdbc
commit
a86b010e10
1 changed files with 2 additions and 0 deletions
|
@ -38,6 +38,8 @@ ProtectHome=true
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
|
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
|
||||||
PrivateDevices=false
|
PrivateDevices=false
|
||||||
|
; Ensures that the service process and all its children can never gain new privileges through execve().
|
||||||
|
NoNewPrivileges=true
|
||||||
; Drops the sysadmin capability from the daemon.
|
; Drops the sysadmin capability from the daemon.
|
||||||
CapabilityBoundingSet=~CAP_SYS_ADMIN
|
CapabilityBoundingSet=~CAP_SYS_ADMIN
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue