|
|
|
@ -24,8 +24,8 @@ Group=airsonic |
|
|
|
# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html |
|
|
|
# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html |
|
|
|
# for details |
|
|
|
# for details |
|
|
|
DevicePolicy=closed |
|
|
|
DevicePolicy=closed |
|
|
|
|
|
|
|
DeviceAllow=char-alsa rw |
|
|
|
NoNewPrivileges=yes |
|
|
|
NoNewPrivileges=yes |
|
|
|
PrivateDevices=yes |
|
|
|
|
|
|
|
PrivateTmp=yes |
|
|
|
PrivateTmp=yes |
|
|
|
PrivateUsers=yes |
|
|
|
PrivateUsers=yes |
|
|
|
ProtectControlGroups=yes |
|
|
|
ProtectControlGroups=yes |
|
|
|
@ -37,6 +37,10 @@ RestrictRealtime=yes |
|
|
|
SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap |
|
|
|
SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap |
|
|
|
ReadWritePaths=/var/airsonic |
|
|
|
ReadWritePaths=/var/airsonic |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# You can uncomment the following line if you're not using the jukebox |
|
|
|
|
|
|
|
# This will prevent airsonic from accessing any real (physical) devices |
|
|
|
|
|
|
|
#PrivateDevices=yes |
|
|
|
|
|
|
|
|
|
|
|
# You can change the following line to `strict` instead of `full` |
|
|
|
# You can change the following line to `strict` instead of `full` |
|
|
|
# if you don't want airsonic to be able to |
|
|
|
# if you don't want airsonic to be able to |
|
|
|
# write anything on your filesystem outside of AIRSONIC_HOME. |
|
|
|
# write anything on your filesystem outside of AIRSONIC_HOME. |
|
|
|
|
Andrew DeMaria
5 years ago