Add support for BindPaths and BindReadOnlyPaths to systemd_service

diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb
index 728009c3ff99707eaf429838952a97dfa3cf2118..b8a58a88f1c9e8d8ff93e91a5621072bf48cff2c 100644 (file)
--- a/cookbooks/systemd/resources/service.rb
+++ b/cookbooks/systemd/resources/service.rb
@@ -75,6 +75,8 @@ property :protect_proc, String,
          :is => %w[noaccess invisible ptraceable default]
 property :proc_subset, String,
          :is => %w[all pid]
+property :bind_paths, [String, Array]
+property :bind_read_only_paths, [String, Array]
 property :capability_bounding_set, [String, Array]
 property :ambient_capabilities, [String, Array]
 property :no_new_privileges, [true, false]

diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb
index fb2427de796547d4f4752457cf18ea3ab826986b..01e9e1d4fa89864bf1f6ab3a6655a2dd048f04aa 100644 (file)
--- a/cookbooks/systemd/templates/default/service.erb
+++ b/cookbooks/systemd/templates/default/service.erb
@@ -163,6 +163,12 @@ ProtectProc=<%= @protect_proc %>
 <% if @proc_subset && node[:lsb][:release].to_f >= 22.04 -%>
 ProcSubset=<%= @proc_subset %>
 <% end -%>
+<% if @bind_paths -%>
+BindPaths=<%= Array(@bind_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @bind_read_only_paths -%>
+BindReadOnlyPaths=<%= Array(@bind_read_only_paths).sort.uniq.join(" ") %>
+<% end -%>
 <% if @no_new_privileges -%>
 NoNewPrivileges=<%= @no_new_privileges %>
 <% end -%>