about summary refs log tree commit diff
path: root/tools/mpd-stats/systemd/mpd-scrobbler.service
blob: e033a996977dd8577b4f16b4e2a588a141688a1c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[Unit]
Description=mpd scrobbler
Documentation=https://git.fcuny.net/fcuny/mpd-stats
ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler

[Service]
ExecStart=%h/workspace/go/bin/mpd-scrobbler
Restart=on-failure

PrivateTmp=yes
ProtectSystem=strict
NoNewPrivileges=yes
ProtectHome=yes

# Prohibit access to any kind of namespacing:
RestrictNamespaces=yes

# Make cgroup file system hierarchy inaccessible:
ProtectControlGroups=yes

# Deny access to other user’s information in /proc:
ProtectProc=invisible

# Only allow access to /proc pid files, no other files:
ProcSubset=pid

# This daemon must not create any new files, but set the umask to 077 just in case.
UMask=077

# Filter dangerous system calls. The following is listed as safe basic choice
# in systemd.exec(5):
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM

# Deny kernel execution domain changing:
LockPersonality=yes

# Deny memory mappings that are writable and executable:
MemoryDenyWriteExecute=yes