tobias/garage_ynh
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Add RestrictNamespaces=yes

Browse Source
This commit is contained in:
Alexandre Aubin 2020-11-11 19:15:01 +01:00 committed by GitHub
parent fe29c72b12
commit 1ac3a1c1f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
conf/systemd.service
View File

@ -16,14 +16,16 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
PrivateDevices=yes PrivateDevices=yes
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed DevicePolicy=closed
ProtectSystem=full ProtectSystem=full
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
RestrictRealtime=yes
LockPersonality=yes LockPersonality=yes
# Denying access to capabilities that should not be relevant for webapps # Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD