From 836eb68cbcf384f9ebb0c3d48e3a5a47615039ab Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 20 Aug 2020 08:32:35 +0100
Subject: [PATCH] Allow path accessibility to be configured for systemd
 services

---
 cookbooks/systemd/resources/service.rb          | 3 +++
 cookbooks/systemd/templates/default/service.erb | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb
index 9db776470..26cce2978 100644
--- a/cookbooks/systemd/resources/service.rb
+++ b/cookbooks/systemd/resources/service.rb
@@ -57,6 +57,9 @@ property :private_devices, [true, false]
 property :private_network, [true, false]
 property :protect_system, [TrueClass, FalseClass, String]
 property :protect_home, [TrueClass, FalseClass, String]
+property :read_write_paths, [String, Array]
+property :read_only_paths, [String, Array]
+property :inaccessible_paths, [String, Array]
 property :restrict_address_families, [String, Array]
 property :no_new_privileges, [true, false]
 property :tasks_max, Integer
diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb
index 4828c96af..6d8a603cc 100644
--- a/cookbooks/systemd/templates/default/service.erb
+++ b/cookbooks/systemd/templates/default/service.erb
@@ -108,6 +108,15 @@ ProtectSystem=<%= @protect_system %>
 <% if @protect_home -%>
 ProtectHome=<%= @protect_home %>
 <% end -%>
+<% if @read_write_paths -%>
+ReadWritePaths=<%= Array(@read_write_paths).join(" ") %>
+<% end -%>
+<% if @read_only_paths -%>
+ReadOnlyPaths=<%= Array(@read_only_paths).join(" ") %>
+<% end -%>
+<% if @inaccessible_paths -%>
+InaccessiblePaths=<%= Array(@inaccessible_paths).join(" ") %>
+<% end -%>
 <% if @restrict_address_families -%>
 RestrictAddressFamilies=<%= Array(@restrict_address_families).join(" ") %>
 <% end -%>
-- 
2.39.5