From: Tom Hughes <tom@compton.nu>
Date: Mon, 16 Jul 2018 11:15:01 +0000 (+0100)
Subject: Remove the PrivateDevices option from gpx-import
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/245c47e8eef7048456021c7e4b4dbb69489567f8

Remove the PrivateDevices option from gpx-import

This now implies NoNewPrivileges=true which stops gpx-import
being able to run the (setuid) exim to send mail.
---

diff --git a/cookbooks/web/recipes/gpx.rb b/cookbooks/web/recipes/gpx.rb
index ecf63a9a9..370b3113f 100644
--- a/cookbooks/web/recipes/gpx.rb
+++ b/cookbooks/web/recipes/gpx.rb
@@ -74,7 +74,6 @@ systemd_service "gpx-import" do
   exec_start "#{gpx_directory}/src/gpx-import"
   exec_reload "/bin/kill -HUP $MAINPID"
   private_tmp true
-  private_devices true
   protect_system "full"
   protect_home true
   restart "on-failure"