Merge branch 'security/add-security-directives-to-systemd-example' into 'develop'

Add some security directives to the systemd example file See merge request pleroma/pleroma!386
author: kaniini <nenolod@gmail.com> 2018-10-25 00:15:29 +0000
committer: kaniini <nenolod@gmail.com> 2018-10-25 00:15:29 +0000
commit: 8cc08b94ec7ea5fc1073e52bcc04dbb6f4641665 (patch)
tree: e47e333682574480d399f3f1cb3ddf833819ac46
parent: 945ce9910dc7b29147ec49af0bdb82202008c7c4 (diff)
parent: 043cb7138e3e970d0e50f3f5a9be5efb385bbc92 (diff)
download: pleroma-8cc08b94ec7ea5fc1073e52bcc04dbb6f4641665.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/installation/pleroma.service b/installation/pleroma.service
index fd4180985..84747d952 100644
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID
 KillMode=process
 Restart=on-failure
 
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
+PrivateTmp=true
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve().
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target
author	kaniini <nenolod@gmail.com>	2018-10-25 00:15:29 +0000
committer	kaniini <nenolod@gmail.com>	2018-10-25 00:15:29 +0000
commit	8cc08b94ec7ea5fc1073e52bcc04dbb6f4641665 (patch)
tree	e47e333682574480d399f3f1cb3ddf833819ac46
parent	945ce9910dc7b29147ec49af0bdb82202008c7c4 (diff)
parent	043cb7138e3e970d0e50f3f5a9be5efb385bbc92 (diff)
download	pleroma-8cc08b94ec7ea5fc1073e52bcc04dbb6f4641665.tar.gz