diff options
author | Federico Ceratto <federico.ceratto@gmail.com> | 2017-02-12 14:09:27 +0000 |
---|---|---|
committer | Federico Ceratto <federico.ceratto@gmail.com> | 2017-02-12 14:09:36 +0000 |
commit | 975b5d8d2c962b9eae838bfdd6d2d49322afb3d9 (patch) | |
tree | 3e05b02f3f2a524b49d6e2b01bfe16790bfe8a01 | |
parent | build patch for kfreebsd and hurd (diff) | |
download | netdata-975b5d8d2c962b9eae838bfdd6d2d49322afb3d9.tar.xz netdata-975b5d8d2c962b9eae838bfdd6d2d49322afb3d9.zip |
Update service file, minor changes
-rw-r--r-- | debian/netdata.service | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/debian/netdata.service b/debian/netdata.service index c720f3e8..53541a9e 100644 --- a/debian/netdata.service +++ b/debian/netdata.service @@ -28,10 +28,11 @@ LimitNOFILE=65536 WorkingDirectory=/tmp # Hardening -#AppArmorProfile=system_netdata -#NoNewPrivileges=true + +NoNewPrivileges=false PermissionsStartOnly=true -CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE +# CAP_SETGID is required for setgroups() +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID PrivateTmp=true ProtectHome=read-only ProtectSystem=full @@ -42,5 +43,13 @@ ReadWriteDirectories=/var/lib/netdata ReadWriteDirectories=/var/log/netdata ReadWriteDirectories=/var/cache/netdata +# Access to devices and kernel modules and tunables is required +PrivateDevices=no +ProtectKernelModules=no +ProtectKernelTunables=no + +StandardOutput=syslog+console +StandardError=syslog+console + [Install] WantedBy=multi-user.target |