enabled DynamicUser isolation with LoadCredential workaround
This commit is contained in:
root
parent
d204f74d82
commit
df77c598d9
1 changed files with 4 additions and 2 deletions
|
|
@ -3,12 +3,13 @@ Description=Send invitation to Hackspace's Announce Discourse
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStart=/opt/plenums_invite/invite.py
|
ExecStart=/opt/plenums_invite/invite.py -c ${CREDENTIALS_DIRECTORY}/plenums_invite_conf
|
||||||
|
|
||||||
WorkingDirectory=/opt/plenums_invite
|
WorkingDirectory=/opt/plenums_invite
|
||||||
|
LoadCredential=plenums_invite_conf:/opt/plenums_invite/invite.conf
|
||||||
|
|
||||||
UMask=077
|
UMask=077
|
||||||
#DynamicUser=yes
|
DynamicUser=yes
|
||||||
|
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes
|
||||||
|
|
@ -34,4 +35,5 @@ RestrictRealtime=true
|
||||||
RestrictNamespaces=true
|
RestrictNamespaces=true
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
|
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6
|
RestrictAddressFamilies=AF_INET AF_INET6
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue