MINOR: systemd: Add SystemD's Protect*= options to the unit file

While the haproxy workers usually are running chrooted the master
process is not. This patch is a pretty safe defense in depth measure
to ensure haproxy cannot touch sensitive parts of the file system.

ProtectSystem takes non-boolean arguments in newer SystemD versions,
but setting those would leave older systems such as Ubuntu Xenial
unprotected. Distro maintainers and system administrators could
adapt the ProtectSystem value to the SystemD version they ship.
This commit is contained in:
Tim Duesterhus 2018-02-27 20:19:04 +01:00 committed by Willy Tarreau
parent 1ce8de2d93
commit 8a9659212e

View File

@ -18,5 +18,15 @@ Type=notify
# reduced performance. See systemd.service(5) and systemd.exec(5) for further # reduced performance. See systemd.service(5) and systemd.exec(5) for further
# information. # information.
# NoNewPrivileges=true
# ProtectHome=true
# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
# any state files and any other files written using 'ReadWritePaths' or
# 'RuntimeDirectory'.
# ProtectSystem=true
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target