Merge branch 'security/add-security-directives-to-systemd-example' into 'develop'

author kaniini <nenolod@gmail.com>

Thu, 25 Oct 2018 00:15:29 +0000 (00:15 +0000)

committer kaniini <nenolod@gmail.com>

Thu, 25 Oct 2018 00:15:29 +0000 (00:15 +0000)
author kaniini <nenolod@gmail.com>
Thu, 25 Oct 2018 00:15:29 +0000 (00:15 +0000)
committer kaniini <nenolod@gmail.com>
Thu, 25 Oct 2018 00:15:29 +0000 (00:15 +0000)
diff --git a/installation/pleroma.service b/installation/pleroma.service

index fd418098504d0a2ece9fdd13bb5c182a35aa8f1e..84747d95297b606964861949b60346baa2e52bbb 100644 (file)
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID
  KillMode=process
  Restart=on-failure
  
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
+PrivateTmp=true
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve().
+NoNewPrivileges=true
+
  [Install]
  WantedBy=multi-user.target
author	kaniini <nenolod@gmail.com>
	Thu, 25 Oct 2018 00:15:29 +0000 (00:15 +0000)
committer	kaniini <nenolod@gmail.com>
	Thu, 25 Oct 2018 00:15:29 +0000 (00:15 +0000)