mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-22 12:30:07 +00:00
MINOR: systemd: Add SystemD's Protect*= options to the unit file
While the haproxy workers usually are running chrooted the master process is not. This patch is a pretty safe defense in depth measure to ensure haproxy cannot touch sensitive parts of the file system. ProtectSystem takes non-boolean arguments in newer SystemD versions, but setting those would leave older systems such as Ubuntu Xenial unprotected. Distro maintainers and system administrators could adapt the ProtectSystem value to the SystemD version they ship.
This commit is contained in:
parent
1ce8de2d93
commit
8a9659212e
@ -18,5 +18,15 @@ Type=notify
|
||||
# reduced performance. See systemd.service(5) and systemd.exec(5) for further
|
||||
# information.
|
||||
|
||||
# NoNewPrivileges=true
|
||||
# ProtectHome=true
|
||||
# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
|
||||
# any state files and any other files written using 'ReadWritePaths' or
|
||||
# 'RuntimeDirectory'.
|
||||
# ProtectSystem=true
|
||||
# ProtectKernelTunables=true
|
||||
# ProtectKernelModules=true
|
||||
# ProtectControlGroups=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
Loading…
Reference in New Issue
Block a user