nixos/phpfpm: enable PrivateTmp=true

This seems to be mostly a pre - #57677 relict. As postgresql sockets now are not in /tmp anymore, isolate /tmp.
2019-11-21 23:31:19 +01:00
parent 758efb9348
commit 4321a88f44
2 changed files with 9 additions and 0 deletions
--- a/nixos/modules/services/web-servers/phpfpm/default.nix
+++ b/nixos/modules/services/web-servers/phpfpm/default.nix
@@ -262,6 +262,7 @@ in {
        in {
          Slice = "phpfpm.slice";
          PrivateDevices = true;
+          PrivateTmp = true;
          ProtectSystem = "full";
          ProtectHome = true;
          # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work