disable capabilities at systemd.service; #773

author: Costa Tsaousis <costa@tsaousis.gr> 2016-08-14 16:11:19 +0300
committer: Costa Tsaousis <costa@tsaousis.gr> 2016-08-14 16:11:19 +0300
commit: ca3e367aeb9065828c656ed45bf78661222e7d90 (patch)
tree: 593d16095af9866f6e1fa685e587f51228252059 /system/netdata.service.in
parent: a9e6334edcec1af647e84bd85542fd467d8e9a33 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in
index afdf0d78ce..2f71735661 100644
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -28,8 +28,11 @@ SendSIGKILL=no
 # -----------------------------------------------------------------------------
 # Hardening netdata
 
-AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+# These will apply these capabilities to the entire netdata process tree
+# We don't want this - only apps.plugin needs them
+# AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
+
 PrivateTmp=true
 ProtectSystem=full
 ProtectHome=read-only
author	Costa Tsaousis <costa@tsaousis.gr>	2016-08-14 16:11:19 +0300
committer	Costa Tsaousis <costa@tsaousis.gr>	2016-08-14 16:11:19 +0300
commit	ca3e367aeb9065828c656ed45bf78661222e7d90 (patch)
tree	593d16095af9866f6e1fa685e587f51228252059 /system/netdata.service.in
parent	a9e6334edcec1af647e84bd85542fd467d8e9a33 (diff)