Home Explore Help
Sign In
mirrors
/
jellyfin
mirror of https://github.com/jellyfin/jellyfin
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Backport pull request #8219 from jellyfin/release-10.8.z

Move Fedora service hardening options to override config

Original-merge: 1d4755894eaf5293e1d67dbca5e5c90566963572

Merged-by: Joshua M. Boniface <joshua@boniface.me>

Backported-by: Joshua Boniface <joshua@boniface.me>
nyanmisaka 3 years ago
parent
de9a350bad
commit
56805b3368
2 changed files with 46 additions and 34 deletions
Split View Show Diff Stats
  1. 46 0
      fedora/jellyfin.override.conf
  2. 0 34
      fedora/jellyfin.service

+ 46 - 0
fedora/jellyfin.override.conf
View File 

@@ -5,3 +5,49 @@
 
 [Service]
 
 #User = jellyfin
 
 #EnvironmentFile = /etc/sysconfig/jellyfin
 
+
 
+# Service hardening options
 
+# These were added in PR #6953 to solve issue #6952, but some combination of
 
+# them causes "restart.sh" functionality to break with the following error:
 
+#   sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
 
+#   'nosuid' option set or an NFS file system without root privileges?
 
+# See issue #7503 for details on the troubleshooting that went into this.
 
+# Since these were added for NixOS specifically and are above and beyond
 
+# what 99% of systemd units do, they have been moved here as optional
 
+# additional flags to set for maximum system security and can be enabled at
 
+# the administrator's or package maintainer's discretion.
 
+# Uncomment these only if you know what you're doing, and doing so may cause
 
+# bugs with in-server Restart and potentially other functionality as well.
 
+#NoNewPrivileges=true
 
+#SystemCallArchitectures=native
 
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 
+#RestrictNamespaces=false
 
+#RestrictRealtime=true
 
+#RestrictSUIDSGID=true
 
+#ProtectClock=true
 
+#ProtectControlGroups=false
 
+#ProtectHostname=true
 
+#ProtectKernelLogs=false
 
+#ProtectKernelModules=false
 
+#ProtectKernelTunables=false
 
+#LockPersonality=true
 
+#PrivateTmp=false
 
+#PrivateDevices=false
 
+#PrivateUsers=true
 
+#RemoveIPC=true
 
+#SystemCallFilter=~@clock
 
+#SystemCallFilter=~@aio
 
+#SystemCallFilter=~@chown
 
+#SystemCallFilter=~@cpu-emulation
 
+#SystemCallFilter=~@debug
 
+#SystemCallFilter=~@keyring
 
+#SystemCallFilter=~@memlock
 
+#SystemCallFilter=~@module
 
+#SystemCallFilter=~@mount
 
+#SystemCallFilter=~@obsolete
 
+#SystemCallFilter=~@privileged
 
+#SystemCallFilter=~@raw-io
 
+#SystemCallFilter=~@reboot
 
+#SystemCallFilter=~@setuid
 
+#SystemCallFilter=~@swap
 
+#SystemCallErrorNumber=EPERM

+ 0 - 34
fedora/jellyfin.service
View File 

@@ -13,39 +13,5 @@ Restart = on-failure
 
 TimeoutSec = 15
 
 SuccessExitStatus=0 143
 
 
-NoNewPrivileges=true
 
-SystemCallArchitectures=native
 
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 
-RestrictNamespaces=false
 
-RestrictRealtime=true
 
-RestrictSUIDSGID=true
 
-ProtectClock=true
 
-ProtectControlGroups=false
 
-ProtectHostname=true
 
-ProtectKernelLogs=false
 
-ProtectKernelModules=false
 
-ProtectKernelTunables=false
 
-LockPersonality=true
 
-PrivateTmp=false
 
-PrivateDevices=false
 
-PrivateUsers=true
 
-RemoveIPC=true
 
-SystemCallFilter=~@clock
 
-SystemCallFilter=~@aio
 
-SystemCallFilter=~@chown
 
-SystemCallFilter=~@cpu-emulation
 
-SystemCallFilter=~@debug
 
-SystemCallFilter=~@keyring
 
-SystemCallFilter=~@memlock
 
-SystemCallFilter=~@module
 
-SystemCallFilter=~@mount
 
-SystemCallFilter=~@obsolete
 
-SystemCallFilter=~@privileged
 
-SystemCallFilter=~@raw-io
 
-SystemCallFilter=~@reboot
 
-SystemCallFilter=~@setuid
 
-SystemCallFilter=~@swap
 
-SystemCallErrorNumber=EPERM
 
-
 
 [Install]
 
 WantedBy = multi-user.target