update units

2019-12-13 01:32:56 +09:00 · 2019-12-13 01:32:56 +09:00 · f071b341bd
commit f071b341bd
parent fbb6464217
2 changed files with 32 additions and 24 deletions
--- a/nohang/nohang-desktop.service.in
+++ b/nohang/nohang-desktop.service.in
@ -7,26 +7,30 @@ After=system.slice
 [Service]
 ExecStart=:TARGET_BIN:/nohang --config :TARGET_CONF:/nohang/nohang-desktop.conf
 SyslogIdentifier=nohang-desktop
+OOMScoreAdjust=-5
+KillMode=mixed
 Restart=always
 RestartSec=0
-KillMode=mixed
-TasksMax=100
-Nice=-5
-CPUSchedulingResetOnFork=true
-OOMScoreAdjust=-5
+TasksMax=50
 UMask=0027
+Nice=-5
+
+CPUSchedulingResetOnFork=true
+ProtectKernelModules=true
 PrivateNetwork=true
 PrivateTmp=true
-RestrictRealtime=yes
-MemoryDenyWriteExecute=yes
-ProtectKernelModules=true
-RestrictNamespaces=yes
 LockPersonality=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
 SystemCallArchitectures=native
+
 ReadOnlyPaths=/
-ReadWritePaths=/tmp /var /run /dev/shm
-CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
-AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
+ReadWritePaths=/tmp /var/tmp /var/log/nohang /dev/shm
+InaccessiblePaths=/home /root
+
+CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
+AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE

 [Install]
 WantedBy=multi-user.target
--- a/nohang/nohang.service.in
+++ b/nohang/nohang.service.in
@ -7,26 +7,30 @@ After=system.slice
 [Service]
 ExecStart=:TARGET_BIN:/nohang --config :TARGET_CONF:/nohang/nohang.conf
 SyslogIdentifier=nohang
+OOMScoreAdjust=-5
+KillMode=mixed
 Restart=always
 RestartSec=0
-KillMode=mixed
-TasksMax=100
-Nice=-5
-CPUSchedulingResetOnFork=true
-OOMScoreAdjust=-5
+TasksMax=50
 UMask=0027
+Nice=-5
+
+CPUSchedulingResetOnFork=true
+ProtectKernelModules=true
 PrivateNetwork=true
 PrivateTmp=true
-RestrictRealtime=yes
-MemoryDenyWriteExecute=yes
-ProtectKernelModules=true
-RestrictNamespaces=yes
 LockPersonality=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
 SystemCallArchitectures=native
+
 ReadOnlyPaths=/
-ReadWritePaths=/tmp /var /run /dev/shm
-CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
-AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
+ReadWritePaths=/tmp /var/tmp /var/log/nohang /dev/shm
+InaccessiblePaths=/home /root
+
+CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
+AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE

 [Install]
 WantedBy=multi-user.target