Use default sandboxing for the supybot service

[chef.git] / cookbooks / supybot / recipes / default.rb

diff --git a/cookbooks/supybot/recipes/default.rb b/cookbooks/supybot/recipes/default.rb
index 68d8eb7447e53891bbc87a513d70e5b3d067baeb..7545ff331767bd814742ac281c72f176bf5e7b40 100644 (file)
--- a/cookbooks/supybot/recipes/default.rb
+++ b/cookbooks/supybot/recipes/default.rb
@@ -131,11 +131,8 @@ systemd_service "supybot" do
   after "network.target"
   user "supybot"
   exec_start "/usr/bin/supybot /etc/supybot/supybot.conf"
-  private_tmp true
-  private_devices true
-  protect_system true
-  protect_home true
-  no_new_privileges true
+  sandbox :enable_network => true
+  read_write_paths ["/etc/supybot", "/var/lib/supybot", "/var/log/supybot"]
   restart "on-failure"
 end