Add RestrictNamespaces=yes
This commit is contained in:
parent
fe29c72b12
commit
1ac3a1c1f7
1 changed files with 3 additions and 1 deletions
|
@ -16,14 +16,16 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1
|
|||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
DevicePolicy=closed
|
||||
ProtectSystem=full
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
RestrictRealtime=yes
|
||||
LockPersonality=yes
|
||||
|
||||
|
||||
# Denying access to capabilities that should not be relevant for webapps
|
||||
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
|
||||
|
|
Loading…
Reference in a new issue