summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Weller <lhw@ring0.de>2016-08-01 10:52:17 +0000
committerLennart Weller <lhw@ring0.de>2016-08-01 14:58:15 +0000
commit48d81e65fe51e722c50c091ca203c773d970ec21 (patch)
tree0cda3ceb9232f0e1f678b32612bb20bc5fc97e2d
parentcontrol file fixes (diff)
downloadnetdata-48d81e65fe51e722c50c091ca203c773d970ec21.tar.xz
netdata-48d81e65fe51e722c50c091ca203c773d970ec21.zip
Fixes for service startup and extra config files
-rw-r--r--debian/changelog7
-rw-r--r--debian/netdata.install1
-rw-r--r--debian/netdata.service28
3 files changed, 18 insertions, 18 deletions
diff --git a/debian/changelog b/debian/changelog
index f981ec34c..5be08135c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+netdata (1.2.0+dfsg-3) UNRELEASED; urgency=medium
+
+ * Add missing config files
+ * Further restrict process permissions
+
+ -- Lennart Weller <lhw@ring0.de> Mon, 01 Aug 2016 12:52:00 +0200
+
netdata (1.2.0+dfsg-2) unstable; urgency=low
* Remove Multi-Arch from binary package
diff --git a/debian/netdata.install b/debian/netdata.install
index 081be5e52..002dfee1d 100644
--- a/debian/netdata.install
+++ b/debian/netdata.install
@@ -1,5 +1,6 @@
/usr/sbin
debian/netdata.conf /etc/netdata/
+etc/netdata/
usr/lib/*/netdata/charts.d/*.sh
usr/lib/*/netdata/plugins.d/apps.plugin
usr/lib/*/netdata/plugins.d/charts.d.dryrun-helper.sh
diff --git a/debian/netdata.service b/debian/netdata.service
index c4f30e0bb..424651b24 100644
--- a/debian/netdata.service
+++ b/debian/netdata.service
@@ -20,7 +20,6 @@ KillSignal=SIGTERM
User=netdata
Group=netdata
-PermissionsStartOnly=true
Restart=on-abnormal
RestartSec=2s
LimitNOFILE=65536
@@ -28,25 +27,18 @@ LimitNOFILE=65536
WorkingDirectory=/tmp
# Hardening
-# AppArmorProfile=system_netdata
-# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER
-NoNewPrivileges=yes
-#PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=yes
+#AppArmorProfile=system_netdata
+#NoNewPrivileges=true
+PermissionsStartOnly=true
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+PrivateTmp=true
+ProtectHome=read-only
ProtectSystem=full
-# TODO: restrict ReadOnlyDirectories
+
ReadOnlyDirectories=/
-ReadWriteDirectories=-/proc
-ReadWriteDirectories=-/run
-ReadWriteDirectories=-/var/log/netdata
-ReadWriteDirectories=-/var
-ReadWriteDirectories=-/var/cache
-ReadWriteDirectories=-/var/cache/netdata
-ReadWriteDirectories=-/var/run
+ReadWriteDirectories=/run
+ReadWriteDirectories=/var/log/netdata
+ReadWriteDirectories=/var/cache/netdata
[Install]
WantedBy=multi-user.target
-
-
-