YunoHost-Apps/osjs_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/osjs_ynh.git synced 2024-09-03 19:56:11 +02:00
Code Issues Activity Actions

Fix sandboxing: disable @privileged

Browse source
This commit is contained in:
Salamandar 2024-02-06 10:24:48 +01:00
parent f541a94c00
commit 1f9cffdf50
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
conf/systemd.service
View file

@ -1,5 +1,5 @@
[Unit]
Description=OS.js: web-desktop.
Description=OS.js: web-desktop.
After=network.target
[Service]
@ -33,7 +33,8 @@ ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation
# @privileged
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html