X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=www-servers%2Fapache%2F.unused%2Ffiles%2Fapache2.2-hardened.service;fp=www-servers%2Fapache%2F.unused%2Ffiles%2Fapache2.2-hardened.service;h=7a512a733e72fcc04cbf3fc4e55113b5443270a4;hb=784e0f15a2c554f73421a213fb6fa9a337b03b90;hp=0000000000000000000000000000000000000000;hpb=53850d2246388561be585fadfa1a3423094206b7;p=portage-squeep

diff --git a/www-servers/apache/.unused/files/apache2.2-hardened.service b/www-servers/apache/.unused/files/apache2.2-hardened.service
new file mode 100644
index 0000000..7a512a7
--- /dev/null
+++ b/www-servers/apache/.unused/files/apache2.2-hardened.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=The Apache HTTP Server
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+EnvironmentFile=/etc/conf.d/apache2
+ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
+ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
+ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
+# We want systemd to give httpd some time to finish gracefully, but still want
+# it to kill httpd after TimeoutStopSec if something went wrong during the
+# graceful stop. Normally, Systemd sends SIGTERM signal right after the
+# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
+# httpd time to finish.
+KillSignal=SIGCONT
+PrivateTmp=true
+#Hardening
+PrivateTmp=true
+CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
+SecureBits=noroot-locked
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target