dotya.ml/ drone-ci-configs
2
0
Fork 0
Code Issues Pull Requests Releases Activity

set ProtectProc,ProcSubset

This commit is contained in:
surtur 2022-04-20 16:52:11 +02:00
parent 9b6bc98086
commit 02098c63d4
Signed by: wanderer
GPG Key ID: 19CE1EC1D9E0486D
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/systemd/system/drone.service
View File

@ -19,7 +19,8 @@ CapabilityBoundingSet=
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*
SystemCallFilter=~memfd_create @reboot @swap @resources @cpu-emulation @debug @module @clock @raw-io @obsolete
# ProtectProc=invisible
ProtectProc=invisible
ProcSubset=pid
ProtectHome=true
RestrictNamespaces=uts ipc pid user cgroup
NoNewPrivileges=True