From 53e7fcca4191c47ca48c378163bcb93ef6e632a5 Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Tue, 28 Jun 2016 11:23:12 -0400
Subject: MDEV-10298: Systemd hardening

Add ProtectSystem=full, NoNewPrivileges=true, PrivateDevices=true, and ProtectHome=true to the systemd units.
---
 support-files/mariadb.service.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'support-files/mariadb.service.in')

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 55202c696fb..879c4d90a6c 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -45,6 +45,16 @@ Group=mysql
 # To allow memlock to be used as non-root user if set in configuration
 CapabilityBoundingSet=CAP_IPC_LOCK
 
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+NoNewPrivileges=true
+
+PrivateDevices=true
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
 
-- 
cgit v1.2.1