From 40da3305b4647f0ebe8d6853651d9eb5d4dfb157 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Thu, 6 Feb 2020 18:43:58 +0100 Subject: [PATCH] service: enable sandboxing options See also https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing Change-Id: I7ae1070c170db2f91dbeb177f03390a0b45143eb Reviewed-on: https://gerrit.libreoffice.org/c/online/+/88128 Tested-by: Jenkins CollaboraOffice Reviewed-by: Jan Holesovsky --- loolwsd.service | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/loolwsd.service b/loolwsd.service index 93e98fd67..2204bb736 100644 --- a/loolwsd.service +++ b/loolwsd.service @@ -11,5 +11,13 @@ User=lool KillMode=control-group Restart=always +ProtectSystem=strict +ReadWritePaths=/opt/lool + +ProtectHome=yes +PrivateTmp=yes +ProtectControlGroups=yes +CapabilityBoundingSet=CAP_FOWNER CAP_MKNOD CAP_SYS_CHROOT + [Install] WantedBy=multi-user.target