diff options
| author | Joshua M. Boniface <joshua@boniface.me> | 2022-03-19 12:31:33 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-19 12:31:33 -0400 |
| commit | 464ebf93dd36db05f34af9d3fe77cf4556bf1ac8 (patch) | |
| tree | 5efbd017893488e8be9148c10f74be7c1702abc5 /fedora | |
| parent | e1527857e931527f68b9705e248bd7bc83c62940 (diff) | |
| parent | 93f569d286825eee32a682521cf832f60713a931 (diff) | |
Merge pull request #6985 from joshuaboniface/unharden-for-lxc
Diffstat (limited to 'fedora')
| -rw-r--r-- | fedora/jellyfin.service | 56 |
1 files changed, 46 insertions, 10 deletions
diff --git a/fedora/jellyfin.service b/fedora/jellyfin.service index f706b0ad3..1193ddb5b 100644 --- a/fedora/jellyfin.service +++ b/fedora/jellyfin.service @@ -1,15 +1,51 @@ [Unit] -After=network-online.target -Description=Jellyfin is a free software media system that puts you in control of managing and streaming your media. +Description = Jellyfin Media Server +After = network-online.target [Service] -EnvironmentFile=/etc/sysconfig/jellyfin -WorkingDirectory=/var/lib/jellyfin -ExecStart=/usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} -TimeoutSec=15 -Restart=on-failure -User=jellyfin -Group=jellyfin +Type = simple +EnvironmentFile = /etc/sysconfig/jellyfin +User = jellyfin +Group = jellyfin +WorkingDirectory = /var/lib/jellyfin +ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS} +Restart = on-failure +TimeoutSec = 15 +SuccessExitStatus=0 143 + +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=false +RestrictRealtime=true +RestrictSUIDSGID=true +ProtectClock=true +ProtectControlGroups=false +ProtectHostname=true +ProtectKernelLogs=false +ProtectKernelModules=false +ProtectKernelTunables=false +LockPersonality=true +PrivateTmp=false +PrivateDevices=false +PrivateUsers=true +RemoveIPC=true +SystemCallFilter=~@clock +SystemCallFilter=~@aio +SystemCallFilter=~@chown +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@keyring +SystemCallFilter=~@memlock +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@setuid +SystemCallFilter=~@swap +SystemCallErrorNumber=EPERM [Install] -WantedBy=multi-user.target +WantedBy = multi-user.target |