From 8f368b10a8cd0e097632874f720c49ce8eacea3a Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 15 Nov 2022 20:35:01 +0000
Subject: [PATCH] Tweak some tile sandboxes

---
 cookbooks/tile/recipes/default.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 02833254b..963c3dd2f 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -106,6 +106,7 @@ systemd_service "renderd" do
   limit_nofile 4096
   sandbox true
   restrict_address_families "AF_UNIX"
+  read_write_paths "/store/tiles"
   restart "on-failure"
 end
 
@@ -608,6 +609,7 @@ systemd_service "replicate" do
   user "tile"
   exec_start "/usr/local/bin/replicate"
   sandbox :enable_network => true
+  restrict_address_families "AF_UNIX"
   read_write_paths [
     "/store/database/nodes",
     "/var/lib/replicate",
-- 
2.45.1