about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--tools/mpd-stats/systemd/mpd-scrobbler.service43
1 files changed, 43 insertions, 0 deletions
diff --git a/tools/mpd-stats/systemd/mpd-scrobbler.service b/tools/mpd-stats/systemd/mpd-scrobbler.service
new file mode 100644
index 0000000..7990208
--- /dev/null
+++ b/tools/mpd-stats/systemd/mpd-scrobbler.service
@@ -0,0 +1,43 @@
+[Unit]
+Description=mpd scrobbler
+Documentation=https://git.fcuny.net/fcuny/mpd-stats
+ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler
+
+[Service]
+ExecStart=%h/workspace/go/bin/mpd-scrobbler
+Restart=on-failure
+
+PrivateTmp=yes
+ProtectSystem=strict
+NoNewPrivileges=yes
+ProtectHome=yes
+
+# Prohibit access to any kind of namespacing:
+RestrictNamespaces=yes
+
+# Make cgroup file system hierarchy inaccessible:
+ProtectControlGroups=yes
+
+# Deny access to other user’s information in /proc:
+ProtectProc=invisible
+
+# Only allow access to /proc pid files, no other files:
+ProcSubset=pid
+
+# This daemon must not create any new files, but set the umask to 077 just in case.
+UMask=077
+
+# Filter dangerous system calls. The following is listed as safe basic choice
+# in systemd.exec(5):
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources
+SystemCallErrorNumber=EPERM
+
+# Deny kernel execution domain changing:
+LockPersonality=yes
+
+# Deny memory mappings that are writable and executable:
+MemoryDenyWriteExecute=yes
+