mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
4489a97c29
Don't allow new priviliges, disallow changing kernel tunables/loading modules and setting cgroups.
23 lines
475 B
Django/Jinja
23 lines
475 B
Django/Jinja
[Unit]
|
|
Description=Archweb Memcached Daemon
|
|
After=network.target
|
|
|
|
[Service]
|
|
User=archweb
|
|
Group=memcached
|
|
# Remove '-l 127.0.0.1' to listen on all addresses
|
|
ExecStart=/usr/bin/memcached -s /run/memcached/archweb.sock -o modern
|
|
Restart=always
|
|
NoNewPrivileges=yes
|
|
PrivateTmp=yes
|
|
ProtectHome=true
|
|
PrivateDevices=yes
|
|
ProtectSystem=full
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
MemoryDenyWriteExecute=yes
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|