Mercurial > louis > mq > lightsd

view lightsd_systemd_drop_in_harden.patch @ 552:384131f70406

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
RestrictAddressFamilies breaks getifaddrs and move those additions to theirr own patches
author Louis Opter <louis@opter.org>
date Sun, 14 May 2017 13:59:19 -0700
parents
children
line wrap: on
line source

# HG changeset patch
# Parent  5304640171f0d46dfa96778d12917be784ef4c73
lightsd: harden the systemd service configuration and add a sample drop-in

diff --git a/dist/lightsd.service b/dist/lightsd.service
--- a/dist/lightsd.service
+++ b/dist/lightsd.service
@@ -8,6 +8,13 @@
 Group=lightsd
 RuntimeDirectory=lightsd
 Restart=on-failure
+ProtectSystem=full
+ProtectHome=true
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# Debian Stretch and after:
+# RestrictNamespaces=yes
 
 [Install]
 WantedBy=multi-user.target
diff --git a/examples/custom-exec-start.conf b/examples/custom-exec-start.conf
new file mode 100644
--- /dev/null
+++ b/examples/custom-exec-start.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/lightsd -t -v warning -s %t/lightsd/socket -c %t/lightsd/pipe -l :::56742