Applied suggested improvements from https://gist.github.com/Wuestengecko/57daca658c9af5d8f9b834f524025a89 (missing dependency, systemd dynamic user and several more)

author: Mario Hros 2018-11-16 23:12:35 +0100
committer: Mario Hros 2018-11-16 23:12:35 +0100
commit: fd9cdcb7967fec6303fd777426b663e45bb71ac2 (patch)
tree: 640a857fb47960a16b5eb811c8b7ca03a54be897 /carbonapi.service
parent: 6bc5273a2e92bb87a047b6adc7feb739135984e9 (diff)
download: aur-fd9cdcb7967fec6303fd777426b663e45bb71ac2.tar.gz
1 files changed, 20 insertions, 0 deletions
diff --git a/carbonapi.service b/carbonapi.service
index 311f56332533..625626f42488 100644
--- a/carbonapi.service
+++ b/carbonapi.service
@@ -8,5 +8,25 @@ Type=simple
 ExecStart=/usr/bin/carbonapi -config /etc/carbonapi.yaml
 Restart=on-failure
 
+DynamicUser=true
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+
+ProtectSystem=strict
+ProtectHome=true
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RemoveIPC=true
+
 [Install]
 WantedBy=multi-user.target
author	Mario Hros	2018-11-16 23:12:35 +0100
committer	Mario Hros	2018-11-16 23:12:35 +0100
commit	fd9cdcb7967fec6303fd777426b663e45bb71ac2 (patch)
tree	640a857fb47960a16b5eb811c8b7ca03a54be897 /carbonapi.service
parent	6bc5273a2e92bb87a047b6adc7feb739135984e9 (diff)
download	aur-fd9cdcb7967fec6303fd777426b663e45bb71ac2.tar.gz