Improve sandboxing of matomo archiver

author Tom Hughes <tom@compton.nu>

Fri, 25 Nov 2022 17:48:50 +0000 (17:48 +0000)

committer Tom Hughes <tom@compton.nu>

Fri, 25 Nov 2022 17:50:29 +0000 (17:50 +0000)
author Tom Hughes <tom@compton.nu>
Fri, 25 Nov 2022 17:48:50 +0000 (17:48 +0000)
committer Tom Hughes <tom@compton.nu>
Fri, 25 Nov 2022 17:50:29 +0000 (17:50 +0000)
diff --git a/cookbooks/matomo/recipes/default.rb b/cookbooks/matomo/recipes/default.rb

index 2bc613e13ffd4e2e046ea11db46554c6b82a75a2..9cea5099d67a24f8cdda8462b682f505bdb79cf1 100644 (file)
--- a/cookbooks/matomo/recipes/default.rb
+++ b/cookbooks/matomo/recipes/default.rb
@@ -203,7 +203,8 @@ systemd_service "matomo-archive" do
    description "Matomo report archiving"
    exec_start "/usr/bin/php /srv/matomo.openstreetmap.org/console core:archive --url=https://matomo.openstreetmap.org/"
    user "www-data"
-  sandbox :enable_network => true
+  sandbox true
+  proc_subset "all"
    memory_deny_write_execute false
    restrict_address_families "AF_UNIX"
    read_write_paths "/opt/matomo-#{version}/matomo/tmp"
author	Tom Hughes <tom@compton.nu>
	Fri, 25 Nov 2022 17:48:50 +0000 (17:48 +0000)
committer	Tom Hughes <tom@compton.nu>
	Fri, 25 Nov 2022 17:50:29 +0000 (17:50 +0000)