Commit 4489a97c authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

archweb: harden memcached service further

Don't allow new priviliges, disallow changing kernel tunables/loading
modules and setting cgroups.
parent af1bff90
......@@ -8,9 +8,14 @@ Group=memcached
# Remove '-l 127.0.0.1' to listen on all addresses
ExecStart=/usr/bin/memcached -s /run/memcached/archweb.sock -o modern
Restart=always
NoNewPrivileges=yes
PrivateTmp=yes
ProtectHome=true
PrivateDevices=yes
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
MemoryDenyWriteExecute=yes
[Install]
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment