diff options
author | Yurii Izorkin <izorkin@elven.pw> | 2020-07-20 02:53:06 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-20 09:53:06 +1000 |
commit | 65b83ab2ac2e1a540737be152e32dc2a6bff7936 (patch) | |
tree | ef32988ea215645051db3d7e0a8f0ec6ea860634 /system | |
parent | bb1eb470ab8fcaa395a58db9bc4cbaa2ed256196 (diff) |
enable simple sandboxing on systemd service (#9234)
Diffstat (limited to 'system')
-rw-r--r-- | system/netdata.service.in | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in index 7efd17057a..ccbd1cdf7f 100644 --- a/system/netdata.service.in +++ b/system/netdata.service.in @@ -44,5 +44,22 @@ CPUSchedulingPolicy=idle # For scheduling policy 'other' and 'batch', this sets the lowest niceness of netdata (-20 highest to 19 lowest). #Nice=0 +# Capabilities +CapabilityBoundingSet=CAP_DAC_OVERRIDE # is required for freeipmi and slabinfo plugins +CapabilityBoundingSet=CAP_DAC_READ_SEARCH # is required for apps plugin +CapabilityBoundingSet=CAP_FOWNER # is required for freeipmi plugin +CapabilityBoundingSet=CAP_SETPCAP # is required for apps, perf and slabinfo plugins +CapabilityBoundingSet=CAP_SYS_ADMIN # is required for perf plugin +CapabilityBoundingSet=CAP_SYS_PTRACE # is required for apps plugin +CapabilityBoundingSet=CAP_NET_RAW # is required for fping app + +# Sandboxing +ProtectSystem=full +ProtectHome=read-only +# PrivateTmp break netdatacli functionality. See - https://github.com/netdata/netdata/issues/7587 +#PrivateTmp=true +ProtectControlGroups=true +PrivateMounts=true + [Install] WantedBy=multi-user.target |