modules/gitweb/files/fcgiwrap-sandbox.conf

   1 [Service]
   2 StandardError=journal
   3 User=nobody
   4 Group=nogroup
   5
   6 # sandboxing options, see systemd.exec(5)
   7 NoNewPrivileges=yes
   8 PrivateNetwork=yes
   9 PrivateDevices=yes
  10 PrivateTmp=yes
  11 ProtectHome=yes
  12 ReadOnlyDirectories=/
  13 SystemCallArchitectures=native
  14 RestrictRealtime=yes
  15 ProtectControlGroups=yes
  16 ProtectKernelModules=yes