diff options
| author | Patrick Donnelly <pdonnell@redhat.com> | 2020-05-09 23:41:47 +0200 |
|---|---|---|
| committer | Patrick Donnelly <pdonnell@redhat.com> | 2020-05-09 23:53:05 +0200 |
| commit | 9a84d5a09b13d6c58dc2738a06242e4f3e169b9c (patch) | |
| tree | 2f28edab5d414ba9f9e144d04ce36c213b8968b2 /systemd/ceph-fuse@.service.in | |
| parent | Merge PR #34948 into master (diff) | |
| download | ceph-9a84d5a09b13d6c58dc2738a06242e4f3e169b9c.tar.xz ceph-9a84d5a09b13d6c58dc2738a06242e4f3e169b9c.zip | |
systemd: lock down more privileges
Including:
ProtectClock=true
ProtectHostname=true
ProtectKernelLogs=true
RestrictSUIDSGID=true
Also, alphabetize [service] settings.
Finally, add some protections for
systemd/ceph-immutable-object-cache@.service.in present in our other
service files but not this one.
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
Diffstat (limited to 'systemd/ceph-fuse@.service.in')
| -rw-r--r-- | systemd/ceph-fuse@.service.in | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/systemd/ceph-fuse@.service.in b/systemd/ceph-fuse@.service.in index d603042b120..1ea4b17675a 100644 --- a/systemd/ceph-fuse@.service.in +++ b/systemd/ceph-fuse@.service.in @@ -6,21 +6,25 @@ Conflicts=umount.target PartOf=ceph-fuse.target [Service] -EnvironmentFile=-@SYSTEMD_ENV_FILE@ Environment=CLUSTER=ceph +EnvironmentFile=-@SYSTEMD_ENV_FILE@ ExecStart=/usr/bin/ceph-fuse -f --cluster ${CLUSTER} %I LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true # ceph-fuse requires access to /dev fuse device PrivateDevices=no +ProtectClock=true ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true -TasksMax=infinity Restart=on-failure -StartLimitInterval=30min +RestrictSUIDSGID=true StartLimitBurst=3 +StartLimitInterval=30min +TasksMax=infinity [Install] WantedBy=ceph-fuse.target |