blob: 7990208ba62b6f165cae920617a9a1241904fe93 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
[Unit]
Description=mpd scrobbler
Documentation=https://git.fcuny.net/fcuny/mpd-stats
ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler
[Service]
ExecStart=%h/workspace/go/bin/mpd-scrobbler
Restart=on-failure
PrivateTmp=yes
ProtectSystem=strict
NoNewPrivileges=yes
ProtectHome=yes
# Prohibit access to any kind of namespacing:
RestrictNamespaces=yes
# Make cgroup file system hierarchy inaccessible:
ProtectControlGroups=yes
# Deny access to other user’s information in /proc:
ProtectProc=invisible
# Only allow access to /proc pid files, no other files:
ProcSubset=pid
# This daemon must not create any new files, but set the umask to 077 just in case.
UMask=077
# Filter dangerous system calls. The following is listed as safe basic choice
# in systemd.exec(5):
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM
# Deny kernel execution domain changing:
LockPersonality=yes
# Deny memory mappings that are writable and executable:
MemoryDenyWriteExecute=yes
|
