enabled DynamicUser isolation with LoadCredential workaround

This commit is contained in:
root 2022-11-04 01:02:09 +01:00
parent d204f74d82
commit df77c598d9

View file

@ -3,12 +3,13 @@ Description=Send invitation to Hackspace's Announce Discourse
[Service]
Type=oneshot
ExecStart=/opt/plenums_invite/invite.py
ExecStart=/opt/plenums_invite/invite.py -c ${CREDENTIALS_DIRECTORY}/plenums_invite_conf
WorkingDirectory=/opt/plenums_invite
LoadCredential=plenums_invite_conf:/opt/plenums_invite/invite.conf
UMask=077
#DynamicUser=yes
DynamicUser=yes
PrivateDevices=yes
PrivateUsers=yes
@ -34,4 +35,5 @@ RestrictRealtime=true
RestrictNamespaces=true
SystemCallArchitectures=native
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
RestrictAddressFamilies=AF_INET AF_INET6