enable simple sandboxing on systemd service (#9234)

author: Yurii Izorkin <izorkin@elven.pw> 2020-07-20 02:53:06 +0300
committer: GitHub <noreply@github.com> 2020-07-20 09:53:06 +1000
commit: 65b83ab2ac2e1a540737be152e32dc2a6bff7936 (patch)
tree: ef32988ea215645051db3d7e0a8f0ec6ea860634 /system
parent: bb1eb470ab8fcaa395a58db9bc4cbaa2ed256196 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in
index 7efd17057a..ccbd1cdf7f 100644
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -44,5 +44,22 @@ CPUSchedulingPolicy=idle
 # For scheduling policy 'other' and 'batch', this sets the lowest niceness of netdata (-20 highest to 19 lowest).
 #Nice=0
 
+# Capabilities
+CapabilityBoundingSet=CAP_DAC_OVERRIDE    # is required for freeipmi and slabinfo plugins
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH # is required for apps plugin
+CapabilityBoundingSet=CAP_FOWNER          # is required for freeipmi plugin
+CapabilityBoundingSet=CAP_SETPCAP         # is required for apps, perf and slabinfo plugins
+CapabilityBoundingSet=CAP_SYS_ADMIN       # is required for perf plugin
+CapabilityBoundingSet=CAP_SYS_PTRACE      # is required for apps plugin
+CapabilityBoundingSet=CAP_NET_RAW         # is required for fping app
+
+# Sandboxing
+ProtectSystem=full
+ProtectHome=read-only
+# PrivateTmp break netdatacli functionality. See - https://github.com/netdata/netdata/issues/7587
+#PrivateTmp=true
+ProtectControlGroups=true
+PrivateMounts=true
+
 [Install]
 WantedBy=multi-user.target
author	Yurii Izorkin <izorkin@elven.pw>	2020-07-20 02:53:06 +0300
committer	GitHub <noreply@github.com>	2020-07-20 09:53:06 +1000
commit	65b83ab2ac2e1a540737be152e32dc2a6bff7936 (patch)
tree	ef32988ea215645051db3d7e0a8f0ec6ea860634 /system
parent	bb1eb470ab8fcaa395a58db9bc4cbaa2ed256196 (diff)