NotAShelf
16ace569a0
Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I2ed3bcfa3e0f58685a883a301c898ee86a6a6964
53 lines
1 KiB
Desktop File
53 lines
1 KiB
Desktop File
[Unit]
|
|
Description=Watchdog Privacy Analytics
|
|
Documentation=https://github.com/notashelf/watchdog
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=watchdog
|
|
Group=watchdog
|
|
|
|
ExecStart=watchdog -config /etc/watchdog/config.yaml
|
|
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
|
|
# State directory for HLL persistence
|
|
StateDirectory=watchdog
|
|
WorkingDirectory=/var/lib/watchdog
|
|
|
|
# Security hardening
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
|
|
# File system protections
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ReadWritePaths=/var/lib/watchdog
|
|
|
|
# Capabilities
|
|
AmbientCapabilities=
|
|
CapabilityBoundingSet=
|
|
|
|
# Sandboxing
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
RemoveIPC=true
|
|
PrivateMounts=true
|
|
|
|
# System call filtering
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged @resources
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallArchitectures=native
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|