summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--debian/netdata.service15
1 files changed, 12 insertions, 3 deletions
diff --git a/debian/netdata.service b/debian/netdata.service
index c720f3e87..53541a9e2 100644
--- a/debian/netdata.service
+++ b/debian/netdata.service
@@ -28,10 +28,11 @@ LimitNOFILE=65536
WorkingDirectory=/tmp
# Hardening
-#AppArmorProfile=system_netdata
-#NoNewPrivileges=true
+
+NoNewPrivileges=false
PermissionsStartOnly=true
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+# CAP_SETGID is required for setgroups()
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID
PrivateTmp=true
ProtectHome=read-only
ProtectSystem=full
@@ -42,5 +43,13 @@ ReadWriteDirectories=/var/lib/netdata
ReadWriteDirectories=/var/log/netdata
ReadWriteDirectories=/var/cache/netdata
+# Access to devices and kernel modules and tunables is required
+PrivateDevices=no
+ProtectKernelModules=no
+ProtectKernelTunables=no
+
+StandardOutput=syslog+console
+StandardError=syslog+console
+
[Install]
WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-04 04:52:38 +0000