forked from chr4/salt-nginx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.service
35 lines (28 loc) · 1011 Bytes
/
nginx.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# vim: ft=systemd
[Service]
NoNewPrivileges=true
ProtectHome=true
ProtectSystem=strict
ReadWritePaths=/var/log/nginx /var/run /var/cache/nginx
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN
LockPersonality=true
RestrictNamespaces=true
DevicePolicy=closed
PrivateDevices=true
RestrictSUIDSGID=true
RestrictRealtime=true
SystemCallArchitectures=native
RestrictAddressFamilies=AF_INET6 AF_INET AF_UNIX
MemoryDenyWriteExecute=true
# Restrict access to mails
InaccessiblePaths=/var/mail
# We can't enforce PrivateUsers, as nginx depends on the www-data user.
; PrivateUsers=true
# Using PrivateTemp=true caused "non-obvious issues".
# See: http://mailman.nginx.org/pipermail/nginx-devel/2020-March/013074.html
; PrivateTmp=true
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @swap @sync @resources
SystemCallErrorNumber=EPERM