github/nohang
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Set PrivateNetwork=false in systemd units to fix GUI notifications on oldstable distros

Browse Source
This commit is contained in:
Alexey Avramov 2020-01-25 23:58:02 +09:00
parent ff620f0438
commit c215e11438
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nohang/nohang-desktop.service.in
View File

@ -29,15 +29,16 @@ InaccessiblePaths=/home /root
# Capabilities whitelist:
# CAP_KILL is required to send signals (SIGTERM and SIGKILL)
# CAP_IPC_LOCK is required to mlockall()
# CAP_SYS_PTRACE are required to check /proc/[pid]/exe realpathes
# CAP_SYS_PTRACE is required to check /proc/[pid]/exe realpathes
# CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files
# CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications
CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
# It breaks GUI notifications on oldstable distros (Debian 8, CentOS 7)
PrivateNetwork=true
# `PrivateNetwork=true` breaks GUI notifications on oldstable distros (Debian 8, CentOS 7, Linux Mint 18)
# On modern distros you can set PrivateNetwork=true for security reasons
PrivateNetwork=false
LockPersonality=yes
RestrictNamespaces=yes

7
nohang/nohang.service.in
View File

@ -29,15 +29,16 @@ InaccessiblePaths=/home /root
# Capabilities whitelist:
# CAP_KILL is required to send signals (SIGTERM and SIGKILL)
# CAP_IPC_LOCK is required to mlockall()
# CAP_SYS_PTRACE are required to check /proc/[pid]/exe realpathes
# CAP_SYS_PTRACE is required to check /proc/[pid]/exe realpathes
# CAP_DAC_READ_SEARCH is required to read /proc/[pid]/environ files
# CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE are required to send GUI notifications
CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
# It breaks GUI notifications on oldstable distros (Debian 8, CentOS 7)
PrivateNetwork=true
# `PrivateNetwork=true` breaks GUI notifications on oldstable distros (Debian 8, CentOS 7, Linux Mint 18)
# On modern distros you can set PrivateNetwork=true for security reasons
PrivateNetwork=false
LockPersonality=yes
RestrictNamespaces=yes