database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-12-24 11:21:21 +03:00
Code Activity

MDEV-10298: Systemd hardening

Browse Source 
Add ProtectSystem=full, NoNewPrivileges=true, PrivateDevices=true, and ProtectHome=true to the systemd units.
This commit is contained in:
Craig Andrews
2016-06-28 11:23:12 -04:00
committed by Sergey Vojtovich
parent f280a87c66
commit 53e7fcca41
2 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
support-files/mariadb.service.in
View File

@@ -45,6 +45,16 @@ Group=mysql
# To allow memlock to be used as non-root user if set in configuration
CapabilityBoundingSet=CAP_IPC_LOCK
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
# Prevent accessing /home, /root and /run/user
ProtectHome=true
# Execute pre and post scripts as root, otherwise it does it as User=
PermissionsStartOnly=true

10
support-files/mariadb@.service.in
View File

@@ -52,6 +52,16 @@ Group=mysql
# To allow memlock to be used as non-root user if set in configuration
CapabilityBoundingSet=CAP_IPC_LOCK
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
# Prevent accessing /home, /root and /run/user
ProtectHome=true
# Execute pre and post scripts as root, otherwise it does it as User=
PermissionsStartOnly=true