Add some security directives to the systemd example file
requested to merge shibayashi/pleroma:security/add-security-directives-to-systemd-example into develop
This adds several directives to the systemd example file.
-
PrivateTmp=true
: Sets up a new file system namespace for the executed processes and mounts private/tmp
and/var/tmp
directories inside it. -
ProtectSystem=full
: Mounts/usr
,/boot
, and/etc
as read-only for processes invoked by this service. -
PrivateDevices=
: Sets up a new/dev
mount point and only adds API pseudo devices such as/dev/null
,/dev/zero
or/dev/random
but no physical devices. May cause problems with devices like the Raspberry Pi, so it’sfalse
by default. -
NoNewPrivileges=true
: Ensures that the service process and all its children can never gain new privileges through execve().
This MR probably needs some testing on other instances, before this can get merged.
More information about these directives here: systemd.exec(5)
Edited by shibayashi