init.d/service.fedora: Set SecureBits=noroot-locked

No capabilities(7) are granted through execve(2); this setting cannot be undone.
jirka-h · Jan 31, 2020 · aead88a · aead88a
1 parent 2fa7c23
commit aead88a
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/init.d/service.fedora b/init.d/service.fedora
@@ -9,6 +9,8 @@ Before=sysinit.target shutdown.target systemd-journald.service
 ExecStart=/usr/sbin/haveged -w 1024 -v 1 --Foreground
 Restart=always
 SuccessExitStatus=137 143
+
+SecureBits=noroot-locked
 CapabilityBoundingSet=CAP_SYS_ADMIN
 PrivateDevices=true
 PrivateNetwork=true