add one more security setting for ttrss update systemd service
This commit is contained in:
parent
776265ddac
commit
c4a8c66ce6
1 changed files with 5 additions and 4 deletions
|
@ -35,6 +35,8 @@ utils.systemd-service-derivation rec {
|
||||||
Group=${TtrssService.group}
|
Group=${TtrssService.group}
|
||||||
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
|
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
|
||||||
|
|
||||||
|
RuntimeDirectory=${name}
|
||||||
|
|
||||||
PrivateDevices=true
|
PrivateDevices=true
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
|
@ -45,6 +47,9 @@ utils.systemd-service-derivation rec {
|
||||||
ProtectHostname=true
|
ProtectHostname=true
|
||||||
ProtectClock=true
|
ProtectClock=true
|
||||||
RestrictSUIDSGID=true
|
RestrictSUIDSGID=true
|
||||||
|
LockPersonality=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
SystemCallFilter=@basic-io @file-system @process @system-service
|
SystemCallFilter=@basic-io @file-system @process @system-service
|
||||||
|
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
|
@ -54,10 +59,6 @@ utils.systemd-service-derivation rec {
|
||||||
# NoExecPaths=/
|
# NoExecPaths=/
|
||||||
# ExecPaths=${pkgs.php}/bin
|
# ExecPaths=${pkgs.php}/bin
|
||||||
|
|
||||||
NoNewPrivileges=true
|
|
||||||
|
|
||||||
RuntimeDirectory=${name}
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
'';
|
'';
|
||||||
|
|
Loading…
Reference in a new issue