Improve filesystem sandboxing for some services

[chef.git] / cookbooks / dev / recipes / default.rb

diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb
index 7ab10d8f47ed9af1ad5aadad1f0afc954e7ed40a..db2057372489085c7d582d39e9c5e698bab1cc9b 100644 (file)
--- a/cookbooks/dev/recipes/default.rb
+++ b/cookbooks/dev/recipes/default.rb
@@ -292,8 +292,9 @@ if node[:postgresql][:clusters][:"14/main"]
     nice 10
     private_tmp true
     private_devices true
-    protect_system "full"
+    protect_system "strict"
     protect_home true
+    read_write_directories "/srv/%i.apis.dev.openstreetmap.org/logs"
     no_new_privileges true
   end
 
@@ -306,8 +307,9 @@ if node[:postgresql][:clusters][:"14/main"]
     exec_reload "/bin/kill -HUP $MAINPID"
     private_tmp true
     private_devices true
-    protect_system "full"
+    protect_system "strict"
     protect_home true
+    read_write_directories ["/srv/%i.apis.dev.openstreetmap.org/logs", "/srv/%i.apis.dev.openstreetmap.org/rails/tmp"]
     no_new_privileges true
     restart "on-failure"
   end