diff options
Diffstat (limited to 'meta-oe/recipes-devtools/php/php/php-fpm.service')
-rw-r--r-- | meta-oe/recipes-devtools/php/php/php-fpm.service | 55 |
1 files changed, 51 insertions, 4 deletions
diff --git a/meta-oe/recipes-devtools/php/php/php-fpm.service b/meta-oe/recipes-devtools/php/php/php-fpm.service index ac79dc931a..918ffe6749 100644 --- a/meta-oe/recipes-devtools/php/php/php-fpm.service +++ b/meta-oe/recipes-devtools/php/php/php-fpm.service @@ -1,10 +1,57 @@ +# It's not recommended to modify this file in-place, because it +# will be overwritten during upgrades. If you want to customize, +# the best way is to use the "systemctl edit" command. + [Unit] -Description=PHP-FPM +Description=The PHP FastCGI Process Manager After=network.target + [Service] -Type=forking +Type=simple PIDFile=@LOCALSTATEDIR@/run/php-fpm.pid -ExecStart=@SYSCONFDIR@/init.d/php-fpm start -ExecStop=@SYSCONFDIR@/init.d/php-fpm stop +ExecStart=@SBINDIR@/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf +ExecReload=@BINDIR@/kill -USR2 $MAINPID + +# Set up a new file system namespace and mounts private /tmp and /var/tmp directories +# so this service cannot access the global directories and other processes cannot +# access this service's directories. +PrivateTmp=true + +# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. +ProtectSystem=full + +# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices +# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, +# but no physical devices such as /dev/sda. +PrivateDevices=true + +# Explicit module loading will be denied. This allows to turn off module load and unload +# operations on modular kernels. It is recommended to turn this on for most services that +# do not need special file systems or extra kernel modules to work. +ProtectKernelModules=true + +# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, +# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes +# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the +# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence +# recommended to turn this on for most services. +ProtectKernelTunables=true + +# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be +# made read-only to all processes of the unit. Except for container managers no services should +# require write access to the control groups hierarchies; it is hence recommended to turn this on +# for most services +ProtectControlGroups=true + +# Any attempts to enable realtime scheduling in a process of the unit are refused. +RestrictRealtime=true + +# Restricts the set of socket address families accessible to the processes of this unit. +# Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX + +# Takes away the ability to create or manage any kind of namespace +RestrictNamespaces=true + [Install] WantedBy=multi-user.target |