templates/systemd/mastodon: update sandbox mode (#16235)
* templates/systemd/mastodon: add new sandboxing options * templates/systemd/mastodon: add '@privileged' and remove duplicates SystemCallFilters * templates/systemd/mastodon: add '@ipc' SystemCallFilter * templates/systemd/mastodon: add '@memlock' SystemCallFilter * templates/systemd/mastodon: allow '@resources' filter to mastodon-web servicepull/16898/head
parent
c8ce728705
commit
a9ff5c8309
|
@ -13,6 +13,9 @@ Environment="LD_PRELOAD=libjemalloc.so"
|
|||
ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25
|
||||
TimeoutSec=15
|
||||
Restart=always
|
||||
# Proc filesystem
|
||||
ProcSubset=pid
|
||||
ProtectProc=invisible
|
||||
# Capabilities
|
||||
CapabilityBoundingSet=
|
||||
# Security
|
||||
|
@ -35,11 +38,15 @@ RestrictNamespaces=true
|
|||
LockPersonality=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
RemoveIPC=true
|
||||
PrivateMounts=true
|
||||
ProtectClock=true
|
||||
# System Call Filtering
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
|
||||
SystemCallFilter=@chown
|
||||
SystemCallFilter=pipe
|
||||
SystemCallFilter=pipe2
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -12,6 +12,9 @@ Environment="STREAMING_CLUSTER_NUM=1"
|
|||
ExecStart=/usr/bin/node ./streaming
|
||||
TimeoutSec=15
|
||||
Restart=always
|
||||
# Proc filesystem
|
||||
ProcSubset=pid
|
||||
ProtectProc=invisible
|
||||
# Capabilities
|
||||
CapabilityBoundingSet=
|
||||
# Security
|
||||
|
@ -34,11 +37,14 @@ RestrictNamespaces=true
|
|||
LockPersonality=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
RemoveIPC=true
|
||||
PrivateMounts=true
|
||||
ProtectClock=true
|
||||
# System Call Filtering
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid
|
||||
SystemCallFilter=pipe
|
||||
SystemCallFilter=pipe2
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -13,6 +13,9 @@ ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
|
|||
ExecReload=/bin/kill -SIGUSR1 $MAINPID
|
||||
TimeoutSec=15
|
||||
Restart=always
|
||||
# Proc filesystem
|
||||
ProcSubset=pid
|
||||
ProtectProc=invisible
|
||||
# Capabilities
|
||||
CapabilityBoundingSet=
|
||||
# Security
|
||||
|
@ -35,11 +38,15 @@ RestrictNamespaces=true
|
|||
LockPersonality=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
RemoveIPC=true
|
||||
PrivateMounts=true
|
||||
ProtectClock=true
|
||||
# System Call Filtering
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @resources @setuid @swap
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
|
||||
SystemCallFilter=@chown
|
||||
SystemCallFilter=pipe
|
||||
SystemCallFilter=pipe2
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in New Issue