[pulseaudio-commits] [Git][pulseaudio/pulseaudio][master] daemon: Harden systemd service
Tanu Kaskinen
gitlab at gitlab.freedesktop.org
Mon Jun 17 08:49:59 UTC 2019
Tanu Kaskinen pushed to branch master at PulseAudio / pulseaudio
Commits:
279b99e1 by Topi Miettinen at 2019-06-17T08:44:35Z
daemon: Harden systemd service
Signed-off-by: Topi Miettinen <toiwoton at gmail.com>
- - - - -
1 changed file:
- src/daemon/systemd/user/pulseaudio.service.in
Changes:
=====================================
src/daemon/systemd/user/pulseaudio.service.in
=====================================
@@ -17,10 +17,17 @@ Requires=pulseaudio.socket
ConditionUser=!root
[Service]
-# Note that notify will only work if --daemonize=no
-Type=notify
ExecStart=@PA_BINARY@ --daemonize=no
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
Restart=on-failure
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+# Note that notify will only work if --daemonize=no
+Type=notify
+UMask=0077
[Install]
Also=pulseaudio.socket
View it on GitLab: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/commit/279b99e101c9d4d25e7ad7ce377623feb85352ea
--
View it on GitLab: https://gitlab.freedesktop.org/pulseaudio/pulseaudio/commit/279b99e101c9d4d25e7ad7ce377623feb85352ea
You're receiving this email because of your account on gitlab.freedesktop.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/pulseaudio-commits/attachments/20190617/ce7f6f6c/attachment.html>
More information about the pulseaudio-commits
mailing list