Use default sandboxing for tilelog service

author Tom Hughes <tom@compton.nu>

Tue, 15 Nov 2022 19:16:24 +0000 (19:16 +0000)

committer Tom Hughes <tom@compton.nu>

Tue, 15 Nov 2022 19:16:34 +0000 (19:16 +0000)
author Tom Hughes <tom@compton.nu>
Tue, 15 Nov 2022 19:16:24 +0000 (19:16 +0000)
committer Tom Hughes <tom@compton.nu>
Tue, 15 Nov 2022 19:16:34 +0000 (19:16 +0000)
diff --git a/cookbooks/tilelog/recipes/default.rb b/cookbooks/tilelog/recipes/default.rb

index 8a53bab547ac34d5d3e701d2aeefd9c3a60b9cf0..44791c28868e797732ec8d388b62cdbe5573365f 100644 (file)
--- a/cookbooks/tilelog/recipes/default.rb
+++ b/cookbooks/tilelog/recipes/default.rb
@@ -55,12 +55,8 @@ systemd_service "tilelog" do
    user "www-data"
    exec_start "/usr/local/bin/tilelog"
    nice 10
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
    read_write_paths tilelog_output_directory
-  no_new_privileges true
  end
  
  systemd_timer "tilelog" do
author	Tom Hughes <tom@compton.nu>
	Tue, 15 Nov 2022 19:16:24 +0000 (19:16 +0000)
committer	Tom Hughes <tom@compton.nu>
	Tue, 15 Nov 2022 19:16:34 +0000 (19:16 +0000)