Add NoNewPrivileges to systemd service file for source installs

This setting already exists in the OTP installation directory, but
doesn't for the one used by source installs.
This commit is contained in:
Norm 2023-06-29 02:14:04 -04:00
parent 166ddebdbc
commit a86b010e10
Signed by untrusted user: norm
GPG key ID: 41288320096BE045

View file

@ -38,6 +38,8 @@ ProtectHome=true
ProtectSystem=full ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi. ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false PrivateDevices=false
; Ensures that the service process and all its children can never gain new privileges through execve().
NoNewPrivileges=true
; Drops the sysadmin capability from the daemon. ; Drops the sysadmin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN CapabilityBoundingSet=~CAP_SYS_ADMIN