co2_exporter: Actually apply systemd sandboxing

I don’t know how that FIXME could be in there for so long.
This commit is contained in:
Simon Bruder 2023-02-15 12:01:46 +01:00
parent 42a22e89b7
commit f59ba624ba
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC

View file

@ -38,7 +38,12 @@ in
# systemd-analyze --no-pager security co2_exporter.service # systemd-analyze --no-pager security co2_exporter.service
DynamicUser = true; DynamicUser = true;
# FIXME CapabilityBoundingSet = null;
PrivateUsers = true;
ProtectHome = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
SystemCallFilter = "@system-service";
}; };
}; };
}; };