Add some security related directives to the systemd service example

author shibayashi <shibayashi@cypherpunk.observer>

Wed, 24 Oct 2018 22:37:31 +0000 (00:37 +0200)

committer shibayashi <shibayashi@cypherpunk.observer>

Wed, 24 Oct 2018 22:37:31 +0000 (00:37 +0200)
author shibayashi <shibayashi@cypherpunk.observer>
Wed, 24 Oct 2018 22:37:31 +0000 (00:37 +0200)
committer shibayashi <shibayashi@cypherpunk.observer>
Wed, 24 Oct 2018 22:37:31 +0000 (00:37 +0200)
diff --git a/installation/pleroma.service b/installation/pleroma.service

index fd418098504d0a2ece9fdd13bb5c182a35aa8f1e..e410764f37c9e2bacc98791646452290dea9c1ad 100644 (file)
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID
  KillMode=process
  Restart=on-failure
  
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
+PrivateTmp=true
+; This makes /usr, /boot, /etc read-only.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve()
+NoNewPrivileges=true
+
  [Install]
  WantedBy=multi-user.target
author	shibayashi <shibayashi@cypherpunk.observer>
	Wed, 24 Oct 2018 22:37:31 +0000 (00:37 +0200)
committer	shibayashi <shibayashi@cypherpunk.observer>
	Wed, 24 Oct 2018 22:37:31 +0000 (00:37 +0200)