update nohang.service

2019-10-05 02:28:20 +09:00 · 2019-10-05 02:28:20 +09:00 · 77325b42d6
commit 77325b42d6
parent 137d392acc
1 changed files with 3 additions and 2 deletions
--- a/nohang/nohang.service.in
+++ b/nohang/nohang.service.in
@ -17,8 +17,9 @@ ProtectKernelModules=true
 SystemCallArchitectures=native
 ReadOnlyPaths=/
 ReadWritePaths=/tmp /var /run /dev/shm
-CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_LINUX_IMMUTABLE CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_TIME CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND CAP_NET_ADMIN CAP_MKNOD CAP_AUDIT_CONTROL
+PrivateTmp=true
-AmbientCapabilities=~CAP_SYS_ADMIN CAP_LINUX_IMMUTABLE CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_TIME CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND CAP_NET_ADMIN CAP_MKNOD CAP_AUDIT_CONTROL
+CapabilityBoundingSet=CAP_KILL CAP_AUDIT_WRITE CAP_DAC_READ_SEARCH CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_PTRACE CAP_CHOWN
 AmbientCapabilities=CAP_KILL CAP_AUDIT_WRITE CAP_DAC_READ_SEARCH CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_PTRACE
 [Install]
 WantedBy=multi-user.target