summarylogtreecommitdiffstats
path: root/0002-service_execstart_paths_security_and_sandboxing.patch
diff options
context:
space:
mode:
Diffstat (limited to '0002-service_execstart_paths_security_and_sandboxing.patch')
-rw-r--r--0002-service_execstart_paths_security_and_sandboxing.patch39
1 files changed, 39 insertions, 0 deletions
diff --git a/0002-service_execstart_paths_security_and_sandboxing.patch b/0002-service_execstart_paths_security_and_sandboxing.patch
new file mode 100644
index 000000000000..d0d4b23ddc2d
--- /dev/null
+++ b/0002-service_execstart_paths_security_and_sandboxing.patch
@@ -0,0 +1,39 @@
+diff --git a/Builds/containers/shared/rippled.service b/Builds/containers/shared/rippled.service
+index 24d9dd975..27233704e 100644
+--- a/Builds/containers/shared/rippled.service
++++ b/Builds/containers/shared/rippled.service
+@@ -5,11 +5,33 @@ Wants=network-online.target
+
+ [Service]
+ Type=simple
+-ExecStart=/opt/ripple/bin/rippled --net --silent --conf /etc/opt/ripple/rippled.cfg
++ExecStart=/usr/bin/rippled --net --silent --conf /etc/rippled/rippled.cfg
+ Restart=on-failure
+ User=rippled
+ Group=rippled
+ LimitNOFILE=65536
+
++# Paths
++StateDirectory=rippled
++LogsDirectory=rippled
++ConfigurationDirectory=rippled
++
++# Security
++NoNewPrivileges=true
++
++# Sandboxing
++ProtectSystem=strict
++ProtectHome=true
++PrivateTmp=true
++PrivateDevices=true
++PrivateUsers=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++MemoryDenyWriteExecute=true
++RestrictSUIDSGID=true
++
+ [Install]
+ WantedBy=multi-user.target