kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

Merge pull request #85133 from snicket2100/mosquitto-service-sandboxing

Browse Source 
mosquitto: systemd service sandboxing
wip/yesman
Sandro 4 years ago committed by GitHub
parent eb7d367200 2b0ee787dd
commit a390213f85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 10
      nixos/modules/services/networking/mosquitto.nix

10
nixos/modules/services/networking/mosquitto.nix
Unescape View File

@ -232,6 +232,16 @@ in
Restart = "on-failure";
ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ProtectSystem = "strict";
ProtectHome = true;
PrivateDevices = true;
PrivateTmp = true;
ReadWritePaths = "${cfg.dataDir}";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
NoNewPrivileges = true;
};
preStart = ''
rm -f ${cfg.dataDir}/passwd

Write Preview
Loading…
Cancel
Save