FFL-Testing/ffl-testing@.service at renderer-server-prototype · ariankordi/FFL-Testing · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
[Unit]
Description=ffl-testing on port %i

Requires=ffl-testing@%i.socket
After=ffl-testing@%i.socket

[Service]

# change this to wherever you run FFL-Testing
# NOTE: don't run it as root!!!!!! but i did but you should not
WorkingDirectory=/root/FFL-Testing
ExecStart=/root/FFL-Testing/ffl_testing_2
# --port/--server are assumed from LISTEN_FDS

# auto restart on failure
Restart=always
RestartSec=20

# Sandbox setting.
# NOTE: NOTE: If you are reading, and these sandboxing options cause problems...
# ... feel free to remove all lines below this.
PrivateTmp=false
# Allow access to X socket.
BindReadOnlyPaths=/tmp/.X11-unix

ProtectSystem=strict
ProtectHome=true
# allow read access under /home
ProtectHome=read-only
NoNewPrivileges=true
PrivateDevices=false
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_MODULE CAP_SYS_RAWIO
DevicePolicy=closed
DeviceAllow=/dev/null rw
DeviceAllow=/dev/tty rw
DeviceAllow=/dev/dri/card0 rw
DeviceAllow=/dev/dri/renderD128 rw
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Allow paths. TODO: MUST BE CHANGED for your system.
ReadWritePaths=/home/arian/FFL-Testing
ReadOnlyPaths=/home/arian/libc-238-usr


[Install]
WantedBy=multi-user.target