mirror of
https://github.com/Zygo/bees.git
synced 2025-05-17 13:25:45 +02:00
84adbaecf9
Since we started locking down the beesd service, we no longer have privileges to do some things. Have systemd do it for us instead. Fixes: #195 Signed-off-by: Zygo Blaxell <bees@furryterror.org>
60 lines
1.3 KiB
SYSTEMD
60 lines
1.3 KiB
SYSTEMD
[Unit]
|
|
Description=Bees (%i)
|
|
Documentation=https://github.com/Zygo/bees
|
|
After=sysinit.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=@PREFIX@/sbin/beesd --no-timestamps %i
|
|
CPUAccounting=true
|
|
CPUSchedulingPolicy=batch
|
|
CPUWeight=12
|
|
IOSchedulingClass=idle
|
|
IOSchedulingPriority=7
|
|
IOWeight=10
|
|
KillMode=control-group
|
|
KillSignal=SIGTERM
|
|
MemoryAccounting=true
|
|
Nice=19
|
|
Restart=on-abnormal
|
|
RuntimeDirectory=bees
|
|
StartupCPUWeight=25
|
|
StartupIOWeight=25
|
|
|
|
# Hide other users' process in /proc/
|
|
ProtectProc=invisible
|
|
|
|
# Mount / as read-only
|
|
ProtectSystem=strict
|
|
|
|
# Forbidden access to /home, /root and /run/user
|
|
ProtectHome=true
|
|
|
|
# Mount tmpfs on /tmp/ and /var/tmp/.
|
|
# Cannot mount at /run/ or /var/run/ for they are used by systemd.
|
|
PrivateTmp=true
|
|
|
|
# Disable network access
|
|
PrivateNetwork=true
|
|
|
|
# Use private IPC namespace, utc namespace
|
|
PrivateIPC=true
|
|
ProtectHostname=true
|
|
|
|
# Disable write access to kernel variables throug /proc
|
|
ProtectKernelTunables=true
|
|
|
|
# Disable access to control groups
|
|
ProtectControlGroups=true
|
|
|
|
# Set capabilities of the new program
|
|
# The first three are required for accessing any file on the mounted filesystem.
|
|
# The last one is required for mounting the filesystem.
|
|
AmbientCapabilities=CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SYS_ADMIN
|
|
|
|
# With NoNewPrivileges, running sudo cannot gain any new privilege
|
|
NoNewPrivileges=true
|
|
|
|
[Install]
|
|
WantedBy=basic.target
|