revpi/revpipyload
1
0
Fork 0
mirror of https://github.com/naruxde/revpipyload.git synced 2025-11-08 15:13:52 +01:00
Code Issues Packages Releases Wiki Activity

feat: Use systemd sandboxing for daemon process

Browse Source 
The server process is limited to certain locations via the sandboxing of
systemd. These restrictions also apply to the control programs and
their specified users.
This commit is contained in:
Sven Sager
2024-09-12 15:59:05 +02:00
parent c9877d8230
commit b12a52623b
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
data/lib/systemd/revpipyload.service
View File

@@ -9,5 +9,17 @@ PIDFile=/var/run/revpipyload.pid
ExecStart=/usr/share/revpipyload/revpipyloadd -d $DAEMON_OPTS ExecStart=/usr/share/revpipyload/revpipyloadd -d $DAEMON_OPTS
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
# systemd sandboxing process
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
# Allow write operations to the following destinations
ReadWritePaths=/dev/piControl0 /etc/revpipyload/ /etc/revpi/config.rsc /home/ /var/lib/revpipyload/ /var/log/ /var/run/revpipyload.pid
# Restrict file system access to the following directories
InaccessiblePaths=/boot /root
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target