Commit 56086b60 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

php-fpm: sync hardening options from php upstream

parent 7d0ad690
......@@ -16,6 +16,17 @@ ProtectHome=true
ProtectSystem=full
InaccessiblePaths=-/var/lib/mysql
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
MemoryAccounting=yes
CPUAccounting=yes
IOAccounting=yes
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment