mirror of
https://github.com/naruxde/revpipyload.git
synced 2025-11-08 15:13:52 +01:00
Sven Sager
b12a52623b
The server process is limited to certain locations via the sandboxing of systemd. These restrictions also apply to the control programs and their specified users.
26 lines
720 B
Desktop File
26 lines
720 B
Desktop File
[Unit]
|
|
Description=Python PLC services for Revolution Pi
|
|
After=network.target
|
|
|
|
[Service]
|
|
EnvironmentFile=-/etc/default/revpipyload
|
|
Type=forking
|
|
PIDFile=/var/run/revpipyload.pid
|
|
ExecStart=/usr/share/revpipyload/revpipyloadd -d $DAEMON_OPTS
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
|
|
# systemd sandboxing process
|
|
ProtectSystem=strict
|
|
ProtectControlGroups=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
|
|
# Allow write operations to the following destinations
|
|
ReadWritePaths=/dev/piControl0 /etc/revpipyload/ /etc/revpi/config.rsc /home/ /var/lib/revpipyload/ /var/log/ /var/run/revpipyload.pid
|
|
|
|
# Restrict file system access to the following directories
|
|
InaccessiblePaths=/boot /root
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|