417116f234
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
25 lines
672 B
SYSTEMD
25 lines
672 B
SYSTEMD
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Journal Gateway Service
|
|
Requires=systemd-journal-gatewayd.socket
|
|
|
|
[Service]
|
|
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
|
|
User=systemd-journal-gateway
|
|
Group=systemd-journal-gateway
|
|
SupplementaryGroups=systemd-journal
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
PrivateNetwork=yes
|
|
ReadOnlySystem=yes
|
|
ProtectedHome=yes
|
|
|
|
[Install]
|
|
Also=systemd-journal-gatewayd.socket
|