MDEV-10298: Systemd hardening

Add ProtectSystem=full, NoNewPrivileges=true, PrivateDevices=true, and ProtectHome=true to the systemd units.
author: Craig Andrews <candrews@integralblue.com> 2016-06-28 11:23:12 -0400
committer: Sergey Vojtovich <svoj@mariadb.org> 2016-07-12 19:43:35 +0400
commit: 53e7fcca4191c47ca48c378163bcb93ef6e632a5 (patch)
tree: e14f19a197e8a3306d21c5bcffa9100dbd36a2a9 /support-files/mariadb.service.in
parent: f280a87c6609384fc2b962b27c1f9d3ac4a39150 (diff)
download: mariadb-git-53e7fcca4191c47ca48c378163bcb93ef6e632a5.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 55202c696fb..879c4d90a6c 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -45,6 +45,16 @@ Group=mysql
 # To allow memlock to be used as non-root user if set in configuration
 CapabilityBoundingSet=CAP_IPC_LOCK
 
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+NoNewPrivileges=true
+
+PrivateDevices=true
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
author	Craig Andrews <candrews@integralblue.com>	2016-06-28 11:23:12 -0400
committer	Sergey Vojtovich <svoj@mariadb.org>	2016-07-12 19:43:35 +0400
commit	53e7fcca4191c47ca48c378163bcb93ef6e632a5 (patch)
tree	e14f19a197e8a3306d21c5bcffa9100dbd36a2a9 /support-files/mariadb.service.in
parent	f280a87c6609384fc2b962b27c1f9d3ac4a39150 (diff)
download	mariadb-git-53e7fcca4191c47ca48c378163bcb93ef6e632a5.tar.gz