From 975b5d8d2c962b9eae838bfdd6d2d49322afb3d9 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Sun, 12 Feb 2017 14:09:27 +0000 Subject: Update service file, minor changes --- debian/netdata.service | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/debian/netdata.service b/debian/netdata.service index c720f3e87..53541a9e2 100644 --- a/debian/netdata.service +++ b/debian/netdata.service @@ -28,10 +28,11 @@ LimitNOFILE=65536 WorkingDirectory=/tmp # Hardening -#AppArmorProfile=system_netdata -#NoNewPrivileges=true + +NoNewPrivileges=false PermissionsStartOnly=true -CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE +# CAP_SETGID is required for setgroups() +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID PrivateTmp=true ProtectHome=read-only ProtectSystem=full @@ -42,5 +43,13 @@ ReadWriteDirectories=/var/lib/netdata ReadWriteDirectories=/var/log/netdata ReadWriteDirectories=/var/cache/netdata +# Access to devices and kernel modules and tunables is required +PrivateDevices=no +ProtectKernelModules=no +ProtectKernelTunables=no + +StandardOutput=syslog+console +StandardError=syslog+console + [Install] WantedBy=multi-user.target -- cgit v1.2.3