dist/systemd: remove various Protect* settings (#831)

It pains me to do it, but, especially with hooks, the Protect
settings are too restrictive.

I wish there were a systemd API that allowed us to self-sandbox,
using these settings, _after_ parsing the config.

fixes https://github.com/zrepl/zrepl/issues/735
This commit is contained in:
Christian Schwarz 2024-10-27 21:43:50 +01:00 committed by GitHub
parent 20abaa2e7f
commit cc0f3b1f13
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -12,26 +12,5 @@ RuntimeDirectoryMode=0700
# Make Go produce coredumps
Environment=GOTRACEBACK='crash'
ProtectSystem=strict
#PrivateDevices=yes # TODO ZFS needs access to /dev/zfs, could we limit this?
ProtectKernelTunables=yes
ProtectControlGroups=yes
PrivateTmp=yes
#PrivateUsers=yes # TODO Does not work, why?
ProtectKernelModules=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=yes
SystemCallArchitectures=native
ProtectHome=read-only
# ProtectHome=tmpfs totally possible, not by default though because of Debian stretch
# SystemCallFilter
# ~@privileged doesn't work with Ubuntu 18.04 ssh
SystemCallFilter=~ @mount @cpu-emulation @keyring @module @obsolete @raw-io @debug @clock @resources
# Go1.19 added automatic RLIMIT_NOFILE changes, so, we need to allow that
SystemCallFilter= setrlimit
[Install]
WantedBy=multi-user.target