upgpkg: promscale 0.1.2-3

harden systemd service

1 files changed, 29 insertions, 2 deletions

diff --git a/promscale.service b/promscale.service
index bdafd1e3c828..fe8656db898f 100644
--- a/promscale.service
+++ b/promscale.service
@@ -8,12 +8,39 @@ After=network-online.target
 User=promscale
 Group=promscale
 Restart=on-failure
+RestartSec=5s
 EnvironmentFile=-/etc/conf.d/promscale
 ExecStart=/usr/bin/promscale $PROMSCALE_ARGS
 ExecReload=/bin/kill -HUP $MAINPID
+
 NoNewPrivileges=true
-ProtectSystem=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+CapabilityBoundingSet=
+AmbientCapabilities=
+PrivateUsers=true
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+
+LimitNOFILE=1048576
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target
-