blob: d0d4b23ddc2d31d35a1f34a13935a94c7a72c626 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
diff --git a/Builds/containers/shared/rippled.service b/Builds/containers/shared/rippled.service
index 24d9dd975..27233704e 100644
--- a/Builds/containers/shared/rippled.service
+++ b/Builds/containers/shared/rippled.service
@@ -5,11 +5,33 @@ Wants=network-online.target
[Service]
Type=simple
-ExecStart=/opt/ripple/bin/rippled --net --silent --conf /etc/opt/ripple/rippled.cfg
+ExecStart=/usr/bin/rippled --net --silent --conf /etc/rippled/rippled.cfg
Restart=on-failure
User=rippled
Group=rippled
LimitNOFILE=65536
+# Paths
+StateDirectory=rippled
+LogsDirectory=rippled
+ConfigurationDirectory=rippled
+
+# Security
+NoNewPrivileges=true
+
+# Sandboxing
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+RestrictSUIDSGID=true
+
[Install]
WantedBy=multi-user.target
|