Skip to content

Commit

Permalink
[systemd] Sandbox the mce service. JB#37897 JB#44449
Browse files Browse the repository at this point in the history
  • Loading branch information
@mlehtima
mlehtima committed Jun 11, 2019
1 parent f3d5ba9 commit ae2c435
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions systemd/mce.service
View file
Expand Up @@ -11,6 +11,18 @@ Conflicts=shutdown.target
Type=notify
ExecStart=/usr/sbin/mce --systemd
Restart=always
# Sandboxing
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_DAC_OVERRIDE CAP_FOWNER
# System update uses /tmp/os-update-running which should be relocated
PrivateTmp=no
ProtectHome=yes
ProtectSystem=full
DevicePolicy=closed
DeviceAllow=char-input r
DeviceAllow=/dev/fb0 rw
DeviceAllow=/dev/i2c-0 rw
DeviceAllow=/dev/i2c-1 rw
DeviceAllow=/dev/memnotify rw

[Install]
WantedBy=multi-user.target

0 comments on commit ae2c435

Please sign in to comment.