github/nohang
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update systemd units

Browse Source
This commit is contained in:
Alexey Avramov 2020-02-16 23:45:36 +09:00
parent 122233ac2f
commit 805c2f1b27
2 changed files with 28 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nohang/nohang-desktop.service.in
View File

@ -7,9 +7,7 @@ After=system.slice
[Service] [Service]
ExecStart=${BINDIR}/nohang --config ${CONFDIR}/nohang/nohang-desktop.conf ExecStart=${BINDIR}/nohang --config ${CONFDIR}/nohang/nohang-desktop.conf
SyslogIdentifier=nohang-desktop SyslogIdentifier=nohang-desktop
KillMode=mixed KillMode=mixed
Restart=always Restart=always
RestartSec=0 RestartSec=0
@ -20,31 +18,29 @@ RestrictRealtime=yes
TasksMax=20 TasksMax=20
MemoryMax=200M MemoryMax=200M
# Restrict access to the file system
UMask=0027 UMask=0027
ReadOnlyPaths=/ ProtectSystem=strict
ReadWritePaths=/var/log ReadWritePaths=/var/log
InaccessiblePaths=/home /root InaccessiblePaths=/home /root
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateDevices=true
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
LockPersonality=yes
# Capabilities whitelist: # Capabilities whitelist:
# CAP_KILL is required to send signals (SIGTERM and SIGKILL) # CAP_KILL is required to send signals
# CAP_IPC_LOCK is required to mlockall() # CAP_IPC_LOCK is required to mlockall()
# CAP_SYS_PTRACE is required to check /proc/[pid]/exe realpathes # CAP_SYS_PTRACE is required to check /proc/[pid]/exe realpathes
# CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files # CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files
# CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications # CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications
CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
# `PrivateNetwork=true` breaks GUI notifications on oldstable distros (Debian 8, CentOS 7, Linux Mint 18) # `PrivateNetwork=true` breaks GUI notifications on oldstable distros (Debian 8, CentOS 7, Linux Mint 18)
# On modern distros you can set PrivateNetwork=true for security reasons # On modern distros you can set PrivateNetwork=true for security reasons
PrivateNetwork=false PrivateNetwork=false
LockPersonality=yes
RestrictNamespaces=yes
ProtectKernelModules=true
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

26
nohang/nohang.service.in
View File

@ -7,9 +7,7 @@ After=system.slice
[Service] [Service]
ExecStart=${BINDIR}/nohang --config ${CONFDIR}/nohang/nohang.conf ExecStart=${BINDIR}/nohang --config ${CONFDIR}/nohang/nohang.conf
SyslogIdentifier=nohang SyslogIdentifier=nohang
KillMode=mixed KillMode=mixed
Restart=always Restart=always
RestartSec=0 RestartSec=0
@ -17,34 +15,32 @@ Nice=-5
CPUSchedulingResetOnFork=true CPUSchedulingResetOnFork=true
RestrictRealtime=yes RestrictRealtime=yes
TasksMax=25 TasksMax=20
MemoryMax=250M MemoryMax=200M
# Restrict access to the file system
UMask=0027 UMask=0027
ReadOnlyPaths=/ ProtectSystem=strict
ReadWritePaths=/var/log ReadWritePaths=/var/log
InaccessiblePaths=/home /root InaccessiblePaths=/home /root
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateDevices=true
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
LockPersonality=yes
# Capabilities whitelist: # Capabilities whitelist:
# CAP_KILL is required to send signals (SIGTERM and SIGKILL) # CAP_KILL is required to send signals
# CAP_IPC_LOCK is required to mlockall() # CAP_IPC_LOCK is required to mlockall()
# CAP_SYS_PTRACE is required to check /proc/[pid]/exe realpathes # CAP_SYS_PTRACE is required to check /proc/[pid]/exe realpathes
# CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files # CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files
# CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications # CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications
CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
# `PrivateNetwork=true` breaks GUI notifications on oldstable distros (Debian 8, CentOS 7, Linux Mint 18) # `PrivateNetwork=true` breaks GUI notifications on oldstable distros (Debian 8, CentOS 7, Linux Mint 18)
# On modern distros you can set PrivateNetwork=true for security reasons # On modern distros you can set PrivateNetwork=true for security reasons
PrivateNetwork=false PrivateNetwork=false
LockPersonality=yes
RestrictNamespaces=yes
ProtectKernelModules=true
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target