diff options
-rw-r--r-- | tools/mpd-stats/systemd/mpd-scrobbler.service | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/tools/mpd-stats/systemd/mpd-scrobbler.service b/tools/mpd-stats/systemd/mpd-scrobbler.service new file mode 100644 index 0000000..7990208 --- /dev/null +++ b/tools/mpd-stats/systemd/mpd-scrobbler.service @@ -0,0 +1,43 @@ +[Unit] +Description=mpd scrobbler +Documentation=https://git.fcuny.net/fcuny/mpd-stats +ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler + +[Service] +ExecStart=%h/workspace/go/bin/mpd-scrobbler +Restart=on-failure + +PrivateTmp=yes +ProtectSystem=strict +NoNewPrivileges=yes +ProtectHome=yes + +# Prohibit access to any kind of namespacing: +RestrictNamespaces=yes + +# Make cgroup file system hierarchy inaccessible: +ProtectControlGroups=yes + +# Deny access to other user’s information in /proc: +ProtectProc=invisible + +# Only allow access to /proc pid files, no other files: +ProcSubset=pid + +# This daemon must not create any new files, but set the umask to 077 just in case. +UMask=077 + +# Filter dangerous system calls. The following is listed as safe basic choice +# in systemd.exec(5): +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +SystemCallFilter=~@resources +SystemCallErrorNumber=EPERM + +# Deny kernel execution domain changing: +LockPersonality=yes + +# Deny memory mappings that are writable and executable: +MemoryDenyWriteExecute=yes + |