senselab/ansible-role-php
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove some hardening options

Browse source 
To strict options prevent different services from running. It's
better to test these options and include them in specific roles.
This commit is contained in:
phil 2023-02-25 23:26:58 +01:00
parent af84818e91
commit 955ba86525
1 changed files with 1 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
templates/systemd/php-fpm@.service
View file

@ -26,15 +26,13 @@ RestartSec=30s
# Hardening # Hardening
# https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in # https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true PrivateDevices=true
PrivateTmp=true PrivateTmp=true
ProtectClock=true ProtectClock=true
ProtectControlGroups=true ProtectControlGroups=true
ProtectKernelModules=true ProtectKernelModules=true
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectSystem=strict ProtectSystem=full
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true RestrictNamespaces=true
@ -42,12 +40,6 @@ SystemCallArchitectures=native
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service SystemCallFilter=@system-service
ReadWritePaths=-/var/log/
ReadWritePaths=-{{ php_fpm_log_dir }}/
ReadWritePaths=-/var/run/
ReadWritePaths=-/run/
InaccessiblePaths=-/root/
# Resources # Resources
CPUQuota={{ php_fpm_cpu_quota }} CPUQuota={{ php_fpm_cpu_quota }}
MemoryHigh={{ php_fpm_memory_high }} MemoryHigh={{ php_fpm_memory_high }}