dotya.ml/drone-ci-configs
2
0
Fork 0
Code Issues Pull Requests Releases Activity

tighten Capabilities and SystemCallFilter list

Browse Source
This commit is contained in:
surtur 2022-04-20 16:51:05 +02:00
parent 1d34e711f6
commit 9b6bc98086
Signed by: wanderer
GPG Key ID: 19CE1EC1D9E0486D
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/systemd/system/drone.service
View File

@ -16,6 +16,9 @@ IOSchedulingClass=1
IOSchedulingPriority=0
CapabilityBoundingSet=
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*
SystemCallFilter=~memfd_create @reboot @swap @resources @cpu-emulation @debug @module @clock @raw-io @obsolete
# ProtectProc=invisible
ProtectHome=true
RestrictNamespaces=uts ipc pid user cgroup