mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-01-06 20:37:51 -05:00
afce4f2a51
Running nginx as non-root would be possible via CAP_NET_BIND_SERVICE as an ambient capability but it would be inherited by workers. It's better to leave the supervisor process as root for the time being unless nginx was taught to use socket activation or drop capabilities for workers.
27 lines
697 B
Plaintext
27 lines
697 B
Plaintext
[Service]
|
|
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
|
|
LockPersonality=true
|
|
NoNewPrivileges=true
|
|
MemoryDenyWriteExecute=true
|
|
PrivateIPC=true
|
|
PrivateTmp=true
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/var/lib/nginx /var/log/nginx -/var/cache/nginx
|
|
RemoveIPC=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@obsolete
|