summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFederico Ceratto <federico.ceratto@gmail.com>2017-02-12 14:09:27 +0000
committerFederico Ceratto <federico.ceratto@gmail.com>2017-02-12 14:09:36 +0000
commit975b5d8d2c962b9eae838bfdd6d2d49322afb3d9 (patch)
tree3e05b02f3f2a524b49d6e2b01bfe16790bfe8a01
parentbuild patch for kfreebsd and hurd (diff)
downloadnetdata-975b5d8d2c962b9eae838bfdd6d2d49322afb3d9.tar.xz
netdata-975b5d8d2c962b9eae838bfdd6d2d49322afb3d9.zip
Update service file, minor changes
-rw-r--r--debian/netdata.service15
1 files changed, 12 insertions, 3 deletions
diff --git a/debian/netdata.service b/debian/netdata.service
index c720f3e8..53541a9e 100644
--- a/debian/netdata.service
+++ b/debian/netdata.service
@@ -28,10 +28,11 @@ LimitNOFILE=65536
WorkingDirectory=/tmp
# Hardening
-#AppArmorProfile=system_netdata
-#NoNewPrivileges=true
+
+NoNewPrivileges=false
PermissionsStartOnly=true
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+# CAP_SETGID is required for setgroups()
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID
PrivateTmp=true
ProtectHome=read-only
ProtectSystem=full
@@ -42,5 +43,13 @@ ReadWriteDirectories=/var/lib/netdata
ReadWriteDirectories=/var/log/netdata
ReadWriteDirectories=/var/cache/netdata
+# Access to devices and kernel modules and tunables is required
+PrivateDevices=no
+ProtectKernelModules=no
+ProtectKernelTunables=no
+
+StandardOutput=syslog+console
+StandardError=syslog+console
+
[Install]
WantedBy=multi-user.target