summaryrefslogtreecommitdiffstats
path: root/debian/netdata.service
diff options
context:
space:
mode:
Diffstat (limited to 'debian/netdata.service')
-rw-r--r--debian/netdata.service28
1 files changed, 10 insertions, 18 deletions
diff --git a/debian/netdata.service b/debian/netdata.service
index c4f30e0bb..424651b24 100644
--- a/debian/netdata.service
+++ b/debian/netdata.service
@@ -20,7 +20,6 @@ KillSignal=SIGTERM
User=netdata
Group=netdata
-PermissionsStartOnly=true
Restart=on-abnormal
RestartSec=2s
LimitNOFILE=65536
@@ -28,25 +27,18 @@ LimitNOFILE=65536
WorkingDirectory=/tmp
# Hardening
-# AppArmorProfile=system_netdata
-# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER
-NoNewPrivileges=yes
-#PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=yes
+#AppArmorProfile=system_netdata
+#NoNewPrivileges=true
+PermissionsStartOnly=true
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+PrivateTmp=true
+ProtectHome=read-only
ProtectSystem=full
-# TODO: restrict ReadOnlyDirectories
+
ReadOnlyDirectories=/
-ReadWriteDirectories=-/proc
-ReadWriteDirectories=-/run
-ReadWriteDirectories=-/var/log/netdata
-ReadWriteDirectories=-/var
-ReadWriteDirectories=-/var/cache
-ReadWriteDirectories=-/var/cache/netdata
-ReadWriteDirectories=-/var/run
+ReadWriteDirectories=/run
+ReadWriteDirectories=/var/log/netdata
+ReadWriteDirectories=/var/cache/netdata
[Install]
WantedBy=multi-user.target
-
-
-
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-27 10:47:15 +0000