diff options
Diffstat (limited to '0002-service_execstart_paths_security_and_sandboxing.patch')
-rw-r--r-- | 0002-service_execstart_paths_security_and_sandboxing.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/0002-service_execstart_paths_security_and_sandboxing.patch b/0002-service_execstart_paths_security_and_sandboxing.patch new file mode 100644 index 000000000000..d0d4b23ddc2d --- /dev/null +++ b/0002-service_execstart_paths_security_and_sandboxing.patch @@ -0,0 +1,39 @@ +diff --git a/Builds/containers/shared/rippled.service b/Builds/containers/shared/rippled.service +index 24d9dd975..27233704e 100644 +--- a/Builds/containers/shared/rippled.service ++++ b/Builds/containers/shared/rippled.service +@@ -5,11 +5,33 @@ Wants=network-online.target + + [Service] + Type=simple +-ExecStart=/opt/ripple/bin/rippled --net --silent --conf /etc/opt/ripple/rippled.cfg ++ExecStart=/usr/bin/rippled --net --silent --conf /etc/rippled/rippled.cfg + Restart=on-failure + User=rippled + Group=rippled + LimitNOFILE=65536 + ++# Paths ++StateDirectory=rippled ++LogsDirectory=rippled ++ConfigurationDirectory=rippled ++ ++# Security ++NoNewPrivileges=true ++ ++# Sandboxing ++ProtectSystem=strict ++ProtectHome=true ++PrivateTmp=true ++PrivateDevices=true ++PrivateUsers=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++MemoryDenyWriteExecute=true ++RestrictSUIDSGID=true ++ + [Install] + WantedBy=multi-user.target |