0f599d1e68
These options are a good start for sandboxing the service. It's planned to set `ProtectSystem` to `strict` instead of `full`, but that requires specific directories to be configured as writable. It's also planned to filter system calls. However, that requires more testing but it shouldn't prevent us from applying these options for now and add others later. In my tests, Redmine only bound to an IPv4 address and Unix socket, which is why I restricted the address families to these both. The command `systemd-analyze security redmine.service` reports an overall exposure level of 2.9 with this patch. Signed-off-by: Felix Singer <felixsinger@posteo.net>
17 KiB
17 KiB