Add more hardening options
This commit is contained in:
parent
367b5eede0
commit
4f0d2f55e1
1 changed files with 13 additions and 2 deletions
|
|
@ -26,18 +26,29 @@ RestartSec=30s
|
|||
|
||||
# Hardening
|
||||
# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
|
||||
LockPersonality=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
ProtectSystem=strict
|
||||
RestrictRealtime=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallArchitectures=native
|
||||
SystemCallErrorNumber=EPERM
|
||||
SystemCallFilter=@system-service
|
||||
|
||||
ReadWritePaths=-/var/log/
|
||||
ReadWritePaths=-{{ php_fpm_log_dir }}
|
||||
ReadWritePaths=-/var/run/
|
||||
ReadWritePaths=-/run/
|
||||
InaccessiblePaths=-/root/
|
||||
RuntimeDirectory=php
|
||||
RuntimeDirectoryPreserve=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
Loading…
Reference in a new issue