From b25bdfc1b32c6ca9daa818949de7e57b9dd6016a Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 9 Nov 2022 22:40:35 +0000 Subject: [PATCH 1/1] Use default sandboxing for the geoipupdate service --- cookbooks/geoipupdate/recipes/default.rb | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cookbooks/geoipupdate/recipes/default.rb b/cookbooks/geoipupdate/recipes/default.rb index c11b451dc..17fcc0850 100644 --- a/cookbooks/geoipupdate/recipes/default.rb +++ b/cookbooks/geoipupdate/recipes/default.rb @@ -42,12 +42,8 @@ systemd_service "geoipupdate" do description "Update GeoIP databases" user "root" exec_start "/usr/bin/geoipupdate" - private_tmp true - private_devices true - protect_system "strict" - protect_home true + sandbox :enable_network => true read_write_paths node[:geoipupdate][:directory] - no_new_privileges true end systemd_timer "geoipupdate" do -- 2.39.5