diff options
Diffstat (limited to 'support-files/mariadb@.service.in')
| -rw-r--r-- | support-files/mariadb@.service.in | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index 18adf0e0eac..b7ac3b808bf 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -52,6 +52,16 @@ Group=mysql # To allow memlock to be used as non-root user if set in configuration CapabilityBoundingSet=CAP_IPC_LOCK +# Prevent writes to /usr, /boot, and /etc +ProtectSystem=full + +NoNewPrivileges=true + +PrivateDevices=true + +# Prevent accessing /home, /root and /run/user +ProtectHome=true + # Execute pre and post scripts as root, otherwise it does it as User= PermissionsStartOnly=true |