]> git.openstreetmap.org Git - chef.git/commitdiff
Lock down filesystem access for supybot
authorTom Hughes <tom@compton.nu>
Wed, 2 Nov 2022 19:27:12 +0000 (19:27 +0000)
committerTom Hughes <tom@compton.nu>
Wed, 2 Nov 2022 19:27:12 +0000 (19:27 +0000)
cookbooks/supybot/recipes/default.rb

index 68d8eb7447e53891bbc87a513d70e5b3d067baeb..6b6d2661e2dbf29d203308edca5c534775d59ffb 100644 (file)
@@ -133,8 +133,9 @@ systemd_service "supybot" do
   exec_start "/usr/bin/supybot /etc/supybot/supybot.conf"
   private_tmp true
   private_devices true
-  protect_system true
+  protect_system "strict"
   protect_home true
+  read_write_paths ["/etc/supybot", "/var/lib/supybot", "/var/log/supybot"]
   no_new_privileges true
   restart "on-failure"
 end