earlyoom.service: drop root privileges

Run as a random unprivilege user instead of as root, but add the capabilities CAP_KILL CAP_IPC_LOCK. Supersedes #158
rfjakob · Feb 12, 2020 · f2b45e6 · f2b45e6
1 parent 247ccd3
commit f2b45e6
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/earlyoom.service.in b/earlyoom.service.in
@@ -5,6 +5,14 @@ Documentation=man:earlyoom(1) https://github.com/rfjakob/earlyoom
 [Service]
 EnvironmentFile=-:SYSCONFDIR:/default/earlyoom
 ExecStart=:TARGET:/earlyoom $EARLYOOM_ARGS
+# Run as an unprivileged user with random user id
+DynamicUser=true
+# Allow killing processes and calling mlockall()
+AmbientCapabilities=CAP_KILL CAP_IPC_LOCK
+# We don't need write access anywhere
+ProtectSystem=strict
+# We don't need /home at all, make it inaccessible
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target