Add some security related directives to the systemd service example

This commit is contained in:
shibayashi 2018-10-25 00:37:31 +02:00
parent 945ce9910d
commit 0a58428de6
No known key found for this signature in database
GPG key ID: C10662A33EB28508

View file

@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID
KillMode=process KillMode=process
Restart=on-failure Restart=on-failure
; Some security directives.
; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
PrivateTmp=true
; This makes /usr, /boot, /etc read-only.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new privileges through execve()
NoNewPrivileges=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target