Commit c8c361f6 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

archweb: harden mirrorcheck service

Disallow changing of kernel options, reading home/tmp and disallow the
service from seeing our /dev.
parent 4489a97c
......@@ -11,6 +11,14 @@ ExecStart={{ archweb_dir }}/env/bin/python manage.py mirrorcheck --location {{ l
{% endfor %}
Nice=5
RuntimeMaxSec=3600
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
[Install]
WantedBy=multi-user.target
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment