diff options
author | Lennart Weller <lhw@ring0.de> | 2016-08-01 10:52:17 +0000 |
---|---|---|
committer | Lennart Weller <lhw@ring0.de> | 2016-08-01 14:58:15 +0000 |
commit | 48d81e65fe51e722c50c091ca203c773d970ec21 (patch) | |
tree | 0cda3ceb9232f0e1f678b32612bb20bc5fc97e2d | |
parent | control file fixes (diff) | |
download | netdata-48d81e65fe51e722c50c091ca203c773d970ec21.tar.xz netdata-48d81e65fe51e722c50c091ca203c773d970ec21.zip |
Fixes for service startup and extra config files
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/netdata.install | 1 | ||||
-rw-r--r-- | debian/netdata.service | 28 |
3 files changed, 18 insertions, 18 deletions
diff --git a/debian/changelog b/debian/changelog index f981ec34c..5be08135c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +netdata (1.2.0+dfsg-3) UNRELEASED; urgency=medium + + * Add missing config files + * Further restrict process permissions + + -- Lennart Weller <lhw@ring0.de> Mon, 01 Aug 2016 12:52:00 +0200 + netdata (1.2.0+dfsg-2) unstable; urgency=low * Remove Multi-Arch from binary package diff --git a/debian/netdata.install b/debian/netdata.install index 081be5e52..002dfee1d 100644 --- a/debian/netdata.install +++ b/debian/netdata.install @@ -1,5 +1,6 @@ /usr/sbin debian/netdata.conf /etc/netdata/ +etc/netdata/ usr/lib/*/netdata/charts.d/*.sh usr/lib/*/netdata/plugins.d/apps.plugin usr/lib/*/netdata/plugins.d/charts.d.dryrun-helper.sh diff --git a/debian/netdata.service b/debian/netdata.service index c4f30e0bb..424651b24 100644 --- a/debian/netdata.service +++ b/debian/netdata.service @@ -20,7 +20,6 @@ KillSignal=SIGTERM User=netdata Group=netdata -PermissionsStartOnly=true Restart=on-abnormal RestartSec=2s LimitNOFILE=65536 @@ -28,25 +27,18 @@ LimitNOFILE=65536 WorkingDirectory=/tmp # Hardening -# AppArmorProfile=system_netdata -# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER -NoNewPrivileges=yes -#PrivateDevices=yes -PrivateTmp=yes -ProtectHome=yes +#AppArmorProfile=system_netdata +#NoNewPrivileges=true +PermissionsStartOnly=true +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE +PrivateTmp=true +ProtectHome=read-only ProtectSystem=full -# TODO: restrict ReadOnlyDirectories + ReadOnlyDirectories=/ -ReadWriteDirectories=-/proc -ReadWriteDirectories=-/run -ReadWriteDirectories=-/var/log/netdata -ReadWriteDirectories=-/var -ReadWriteDirectories=-/var/cache -ReadWriteDirectories=-/var/cache/netdata -ReadWriteDirectories=-/var/run +ReadWriteDirectories=/run +ReadWriteDirectories=/var/log/netdata +ReadWriteDirectories=/var/cache/netdata [Install] WantedBy=multi-user.target - - - |