diff options
| author | yalh76 <yalh@yahoo.com> | 2022-02-16 19:55:50 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-16 19:55:50 +0100 |
| commit | 2f33630edba994036a19b02301d9acecd0d43e5c (patch) | |
| tree | 4b2c3f7ce2578b45428793ca89ecb45a2a8868df /conf/mastodon-sidekiq.service | |
| parent | 05d5eedfe64f93344241c78ca24900b5929781f6 (diff) | |
| parent | 115fe3e330f052959f5c345b2e21fe6d90749f66 (diff) | |
| download | mastodon_ynh-2f33630edba994036a19b02301d9acecd0d43e5c.tar.gz mastodon_ynh-2f33630edba994036a19b02301d9acecd0d43e5c.tar.bz2 mastodon_ynh-2f33630edba994036a19b02301d9acecd0d43e5c.zip | |
Merge pull request #308 from YunoHost-Apps/fix
Few Fixes
Diffstat (limited to 'conf/mastodon-sidekiq.service')
| -rw-r--r-- | conf/mastodon-sidekiq.service | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/conf/mastodon-sidekiq.service b/conf/mastodon-sidekiq.service index 47fe663..83c11e6 100644 --- a/conf/mastodon-sidekiq.service +++ b/conf/mastodon-sidekiq.service @@ -19,31 +19,31 @@ StandardError=syslog # Depending on specificities of your service/app, you may need to tweak these # .. but this should be a good baseline # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap +#NoNewPrivileges=yes +#PrivateTmp=yes +#PrivateDevices=yes +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +#RestrictNamespaces=yes +#RestrictRealtime=yes +#DevicePolicy=closed +#ProtectSystem=full +#ProtectControlGroups=yes +#ProtectKernelModules=yes +#ProtectKernelTunables=yes +#LockPersonality=yes +#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +#CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +#CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +#CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +#CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +#CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +#CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +#CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +#CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +#CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target |