Lock down filesystem access for supybot

[chef.git] / cookbooks / supybot / recipes / default.rb

diff --git a/cookbooks/supybot/recipes/default.rb b/cookbooks/supybot/recipes/default.rb
index 68d8eb7447e53891bbc87a513d70e5b3d067baeb..6b6d2661e2dbf29d203308edca5c534775d59ffb 100644 (file)
--- a/cookbooks/supybot/recipes/default.rb
+++ b/cookbooks/supybot/recipes/default.rb
@@ -133,8 +133,9 @@ systemd_service "supybot" do
   exec_start "/usr/bin/supybot /etc/supybot/supybot.conf"
   private_tmp true
   private_devices true
-  protect_system true
+  protect_system "strict"
   protect_home true
+  read_write_paths ["/etc/supybot", "/var/lib/supybot", "/var/log/supybot"]
   no_new_privileges true
   restart "on-failure"
 end