enabled DynamicUser isolation with LoadCredential workaround

This commit is contained in:
root 2022-11-04 01:02:09 +01:00
parent d204f74d82
commit df77c598d9

View file

@ -3,12 +3,13 @@ Description=Send invitation to Hackspace's Announce Discourse
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/opt/plenums_invite/invite.py ExecStart=/opt/plenums_invite/invite.py -c ${CREDENTIALS_DIRECTORY}/plenums_invite_conf
WorkingDirectory=/opt/plenums_invite WorkingDirectory=/opt/plenums_invite
LoadCredential=plenums_invite_conf:/opt/plenums_invite/invite.conf
UMask=077 UMask=077
#DynamicUser=yes DynamicUser=yes
PrivateDevices=yes PrivateDevices=yes
PrivateUsers=yes PrivateUsers=yes
@ -34,4 +35,5 @@ RestrictRealtime=true
RestrictNamespaces=true RestrictNamespaces=true
SystemCallArchitectures=native SystemCallArchitectures=native
LockPersonality=yes LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
RestrictAddressFamilies=AF_INET AF_INET6 RestrictAddressFamilies=AF_INET AF_INET6