diff options
Diffstat (limited to 'www-servers/apache/files/apache2.2-hardened.service')
| -rw-r--r-- | www-servers/apache/files/apache2.2-hardened.service | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/www-servers/apache/files/apache2.2-hardened.service b/www-servers/apache/files/apache2.2-hardened.service new file mode 100644 index 000000000000..7a512a733e72 --- /dev/null +++ b/www-servers/apache/files/apache2.2-hardened.service @@ -0,0 +1,27 @@ +[Unit] +Description=The Apache HTTP Server +After=network.target remote-fs.target nss-lookup.target + +[Service] +EnvironmentFile=/etc/conf.d/apache2 +ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND +ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful +ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop +# We want systemd to give httpd some time to finish gracefully, but still want +# it to kill httpd after TimeoutStopSec if something went wrong during the +# graceful stop. Normally, Systemd sends SIGTERM signal right after the +# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give +# httpd time to finish. +KillSignal=SIGCONT +PrivateTmp=true +#Hardening +PrivateTmp=true +CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK +SecureBits=noroot-locked +ProtectSystem=full +NoNewPrivileges=true +PrivateDevices=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target |