New daemon architecture
This commit is contained in:
27
dist/systemd/blehd-root.service
vendored
Normal file
27
dist/systemd/blehd-root.service
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
[Unit]
|
||||
Description=Bleh MXW01 helper daemon (root)
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/local/bin/blehd --socket /run/bleh/blehd.sock --group bleh
|
||||
Restart=on-failure
|
||||
RestartSec=1
|
||||
|
||||
RuntimeDirectory=bleh
|
||||
RuntimeDirectoryMode=0755
|
||||
|
||||
# Hardening (still useful even as root)
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user