diff options
| author | yalh76 <yalh@yahoo.com> | 2022-02-15 23:52:20 +0100 |
|---|---|---|
| committer | yalh76 <yalh@yahoo.com> | 2022-02-15 23:52:20 +0100 |
| commit | 35508ef351479dfa9cc99c74039969c94f513391 (patch) | |
| tree | 7c75fc67e8e142eb90c9e2894d56d77ed04a108c | |
| parent | 61260259afd09414ef7f9d3d51f7aac162de3f4e (diff) | |
| download | mastodon_ynh-35508ef351479dfa9cc99c74039969c94f513391.tar.gz mastodon_ynh-35508ef351479dfa9cc99c74039969c94f513391.tar.bz2 mastodon_ynh-35508ef351479dfa9cc99c74039969c94f513391.zip | |
Fix #305
| -rw-r--r-- | conf/mastodon-sidekiq.service | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/conf/mastodon-sidekiq.service b/conf/mastodon-sidekiq.service index 47fe663..83c11e6 100644 --- a/conf/mastodon-sidekiq.service +++ b/conf/mastodon-sidekiq.service @@ -19,31 +19,31 @@ StandardError=syslog # Depending on specificities of your service/app, you may need to tweak these # .. but this should be a good baseline # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap +#NoNewPrivileges=yes +#PrivateTmp=yes +#PrivateDevices=yes +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +#RestrictNamespaces=yes +#RestrictRealtime=yes +#DevicePolicy=closed +#ProtectSystem=full +#ProtectControlGroups=yes +#ProtectKernelModules=yes +#ProtectKernelTunables=yes +#LockPersonality=yes +#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +#CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +#CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +#CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +#CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +#CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +#CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +#CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +#CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +#CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target |