mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
units: lock down coredump service a bit
Dissecting a coredump is possibly risky and might take a while, hence lock down the unit as much as we can.
This commit is contained in:
parent
b6c7278c38
commit
924453c225
@ -19,9 +19,19 @@ Before=shutdown.target
|
||||
ExecStart=-@rootlibexecdir@/systemd-coredump
|
||||
Nice=9
|
||||
OOMScoreAdjust=500
|
||||
RuntimeMaxSec=5min
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
PrivateNetwork=yes
|
||||
ProtectSystem=strict
|
||||
RuntimeMaxSec=5min
|
||||
ProtectHome=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictNamespaces=yes
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
ReadWritePaths=/var/lib/systemd/coredump
|
||||
ProtectKernelModules=yes
|
||||
|
Loading…
Reference in New Issue
Block a user