mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
6134cf9ae5
Mount /usr, /etc read only, protect the /home, /tmp and kernel directories. Also disallow privilige escalation.
22 lines
389 B
SYSTEMD
22 lines
389 B
SYSTEMD
[Unit]
|
|
Description=Security Tracker update service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
User=security
|
|
Group=security
|
|
WorkingDirectory=/srv/http/security-tracker
|
|
ExecStart=/usr/bin/make update
|
|
|
|
NoNewPrivileges=yes
|
|
ProtectSystem=full
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|