From 65b83ab2ac2e1a540737be152e32dc2a6bff7936 Mon Sep 17 00:00:00 2001
From: Yurii Izorkin <izorkin@elven.pw>
Date: Mon, 20 Jul 2020 02:53:06 +0300
Subject: enable simple sandboxing on systemd service (#9234)

---
 system/netdata.service.in | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'system/netdata.service.in')

diff --git a/system/netdata.service.in b/system/netdata.service.in
index 7efd17057a..ccbd1cdf7f 100644
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -44,5 +44,22 @@ CPUSchedulingPolicy=idle
 # For scheduling policy 'other' and 'batch', this sets the lowest niceness of netdata (-20 highest to 19 lowest).
 #Nice=0
 
+# Capabilities
+CapabilityBoundingSet=CAP_DAC_OVERRIDE    # is required for freeipmi and slabinfo plugins
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH # is required for apps plugin
+CapabilityBoundingSet=CAP_FOWNER          # is required for freeipmi plugin
+CapabilityBoundingSet=CAP_SETPCAP         # is required for apps, perf and slabinfo plugins
+CapabilityBoundingSet=CAP_SYS_ADMIN       # is required for perf plugin
+CapabilityBoundingSet=CAP_SYS_PTRACE      # is required for apps plugin
+CapabilityBoundingSet=CAP_NET_RAW         # is required for fping app
+
+# Sandboxing
+ProtectSystem=full
+ProtectHome=read-only
+# PrivateTmp break netdatacli functionality. See - https://github.com/netdata/netdata/issues/7587
+#PrivateTmp=true
+ProtectControlGroups=true
+PrivateMounts=true
+
 [Install]
 WantedBy=multi-user.target
-- 
cgit v1.2.3