Add safe hardening to mariadb.service units
Add low regression systemd hardening directives to mariadb.service and
mariadb@.service to improve 'systemd-analyze security' without touching
the historically-problematic areas (capability bounding /
NoNewPrivileges / PrivateDevices). Refs: MDEV-10404, MDEV-19878,
MDEV-36591, MDEV-36681
Includes kernel/cgroup protections, disables realtime scheduling, locks
personality, and restricts namespace creation (overrideable via drop-in)
This patch should be submitted upstream once proven stable in Debian.
Forwarded: no
Gbp-Pq: Name systemd-hardening-safe-defaults.patch
projects / mariadb.git / commit