From d225dda62ccb2036e610125f42cbe91b21809c80 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 25 Nov 2022 17:48:50 +0000
Subject: [PATCH] Improve sandboxing of matomo archiver

---
 cookbooks/matomo/recipes/default.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cookbooks/matomo/recipes/default.rb b/cookbooks/matomo/recipes/default.rb
index 2bc613e13..9cea5099d 100644
--- a/cookbooks/matomo/recipes/default.rb
+++ b/cookbooks/matomo/recipes/default.rb
@@ -203,7 +203,8 @@ systemd_service "matomo-archive" do
   description "Matomo report archiving"
   exec_start "/usr/bin/php /srv/matomo.openstreetmap.org/console core:archive --url=https://matomo.openstreetmap.org/"
   user "www-data"
-  sandbox :enable_network => true
+  sandbox true
+  proc_subset "all"
   memory_deny_write_execute false
   restrict_address_families "AF_UNIX"
   read_write_paths "/opt/matomo-#{version}/matomo/tmp"
-- 
2.43.2