From 0c0f44fd4a4d092b054e2612c03f4e203e2554ea Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 24 Nov 2022 00:59:48 +0000
Subject: [PATCH] Relax sandboxing for the web-statistics service

---
 cookbooks/web/recipes/statistics.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/cookbooks/web/recipes/statistics.rb b/cookbooks/web/recipes/statistics.rb
index 769cf5753..d3829f06c 100644
--- a/cookbooks/web/recipes/statistics.rb
+++ b/cookbooks/web/recipes/statistics.rb
@@ -32,10 +32,13 @@ end
 
 systemd_service "web-statistics" do
   description "Generate web statistics"
-  exec_start "/usr/local/bin/statistics"
+  environment "RAILS_ENV" => "production"
   user "rails"
+  working_directory rails_directory
+  exec_start "/usr/local/bin/statistics"
   sandbox :enable_network => true
-  read_write_paths "#{rails_directory}/tmp"
+  memory_deny_write_execute false
+  read_write_paths ["#{rails_directory}/tmp", "/var/log/web"]
 end
 
 systemd_timer "web-statistics" do
-- 
2.43.2