]> WPIA git - infra.git/blobdiff - modules/gitweb/files/fcgiwrap-sandbox.conf
projects / infra.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
add: git smart HTTP daemon
[infra.git] / modules / gitweb / files / fcgiwrap-sandbox.conf
diff --git a/modules/gitweb/files/fcgiwrap-sandbox.conf b/modules/gitweb/files/fcgiwrap-sandbox.conf
new file mode 100644 (file)
index 0000000..fefe18f
--- /dev/null
+++ b/modules/gitweb/files/fcgiwrap-sandbox.conf
@@ -0,0 +1,16 @@
+[Service]
+StandardError=journal
+User=nobody
+Group=nogroup
+
+# sandboxing options, see systemd.exec(5)
+NoNewPrivileges=yes
+PrivateNetwork=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ReadOnlyDirectories=/
+SystemCallArchitectures=native
+RestrictRealtime=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
WPIA Technical Infrastructure