Blame harden_promtail.service.patch
|
|
a24c53 |
Index: loki-2.5.0+git.1649366683.2d9d0ee23/docs/sources/clients/aws/ec2/promtail.service
|
|
|
fdb740 |
===================================================================
|
|
|
a24c53 |
--- loki-2.5.0+git.1649366683.2d9d0ee23.orig/docs/sources/clients/aws/ec2/promtail.service
|
|
|
a24c53 |
+++ loki-2.5.0+git.1649366683.2d9d0ee23/docs/sources/clients/aws/ec2/promtail.service
|
|
|
fdb740 |
@@ -1,6 +1,18 @@
|
|
|
fdb740 |
[Unit]
|
|
|
fdb740 |
Description=Promtail
|
|
|
fdb740 |
[Service]
|
|
|
fdb740 |
+# added automatically, for details please see
|
|
|
fdb740 |
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
|
fdb740 |
+ProtectSystem=full
|
|
|
fdb740 |
+ProtectHome=true
|
|
|
fdb740 |
+PrivateDevices=true
|
|
|
fdb740 |
+ProtectHostname=true
|
|
|
fdb740 |
+ProtectClock=true
|
|
|
fdb740 |
+ProtectKernelTunables=true
|
|
|
fdb740 |
+ProtectKernelModules=true
|
|
|
fdb740 |
+ProtectControlGroups=true
|
|
|
fdb740 |
+RestrictRealtime=true
|
|
|
a24c53 |
+# end of automatic additions
|
|
|
fdb740 |
User=root
|
|
|
fdb740 |
WorkingDirectory=/opt/promtail/
|
|
|
fdb740 |
ExecStartPre=/bin/sleep 30
|