Add no_new_privilegese to some additional services

diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb
index 681118f959f5dbcf1a56b8f1932cdc9f4f29e8b0..c4d425a5634151cecb93e54beb0169908c3feeae 100644 (file)
--- a/cookbooks/blogs/recipes/default.rb
+++ b/cookbooks/blogs/recipes/default.rb
@@ -87,6 +87,7 @@ systemd_service "blogs-update" do
   protect_system "strict"
   protect_home true
   read_write_paths "/srv/blogs.openstreetmap.org"
+  no_new_privileges true
 end
 
 systemd_timer "blogs-update" do

diff --git a/cookbooks/dns/recipes/default.rb b/cookbooks/dns/recipes/default.rb
index 7b8c5b6e7278c3bc06a64d59f52760aea8a0fa82..d25c4573177fe57c43fa6ba8fbfba110eda859e0 100644 (file)
--- a/cookbooks/dns/recipes/default.rb
+++ b/cookbooks/dns/recipes/default.rb
@@ -178,6 +178,7 @@ systemd_service "dns-check" do
   protect_system "strict"
   protect_home true
   read_write_paths "/var/lib/dns"
+  no_new_privileges true
 end
 
 systemd_timer "dns-check" do

diff --git a/cookbooks/geoipupdate/recipes/default.rb b/cookbooks/geoipupdate/recipes/default.rb
index 417d3201353a7a9ace9240812fcfcf6a1714c1c2..c11b451dc4645f28d3d12198e5ba2358ca71ec87 100644 (file)
--- a/cookbooks/geoipupdate/recipes/default.rb
+++ b/cookbooks/geoipupdate/recipes/default.rb
@@ -47,6 +47,7 @@ systemd_service "geoipupdate" do
   protect_system "strict"
   protect_home true
   read_write_paths node[:geoipupdate][:directory]
+  no_new_privileges true
 end
 
 systemd_timer "geoipupdate" do

diff --git a/cookbooks/tilelog/recipes/default.rb b/cookbooks/tilelog/recipes/default.rb
index b911dacffc8040950b2433b40dc012a6342798bc..8a53bab547ac34d5d3e701d2aeefd9c3a60b9cf0 100644 (file)
--- a/cookbooks/tilelog/recipes/default.rb
+++ b/cookbooks/tilelog/recipes/default.rb
@@ -60,6 +60,7 @@ systemd_service "tilelog" do
   protect_system "strict"
   protect_home true
   read_write_paths tilelog_output_directory
+  no_new_privileges true
 end
 
 systemd_timer "tilelog" do