systemd: drop all capabilities by default

author Ruben Kerkhof <ruben@rubenkerkhof.com>

Wed, 9 Sep 2015 16:52:26 +0000 (18:52 +0200)

committer Ruben Kerkhof <ruben@rubenkerkhof.com>

Mon, 14 Sep 2015 18:41:33 +0000 (20:41 +0200)
author Ruben Kerkhof <ruben@rubenkerkhof.com>
Wed, 9 Sep 2015 16:52:26 +0000 (18:52 +0200)
committer Ruben Kerkhof <ruben@rubenkerkhof.com>
Mon, 14 Sep 2015 18:41:33 +0000 (20:41 +0200)
diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service

index 50820bd..0e758e4 100644 (file)
--- a/contrib/systemd.collectd.service
+++ b/contrib/systemd.collectd.service
@@ -10,6 +10,15 @@ EnvironmentFile=-/etc/default/collectd
  ProtectSystem=full
  ProtectHome=true
  
+# drop all capabilities:
+CapabilityBoundingSet=
+# use this instead if you use the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW
+# turn this on if you use the iptables next to the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+
+NoNewPrivileges=true
+
  # Tell systemd it will receive a notification from collectd over it's control
  # socket once the daemon is ready. See systemd.service(5) for more details.
  Type=notify
author	Ruben Kerkhof <ruben@rubenkerkhof.com>
	Wed, 9 Sep 2015 16:52:26 +0000 (18:52 +0200)
committer	Ruben Kerkhof <ruben@rubenkerkhof.com>
	Mon, 14 Sep 2015 18:41:33 +0000 (20:41 +0200)