Update systemd.service
This commit is contained in:
parent
d4876b093a
commit
f6f814e69b
1 changed files with 6 additions and 1 deletions
|
@ -22,12 +22,17 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
DevicePolicy=closed
|
DevicePolicy=closed
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
|
||||||
|
|
||||||
# Denying access to capabilities that should not be relevant for webapps
|
# Denying access to capabilities that should not be relevant for webapps
|
||||||
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||||
|
|
Loading…
Reference in a new issue