imunify360-dos-protection.service
| 1.5 KB | Satir:
0
| service
Geri
[Unit] Description=Imunify360 DoS Protection Before=cagefs.service [Service] Type=simple ExecStart=/usr/bin/imunify360-dos-protection ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure KillMode=mixed CPUAccounting=true MemoryAccounting=true BlockIOAccounting=true # WARN: systemd interprets '-' as '/' and creates redundant nested slices! # Full name: /Imunify.slice/Imunify-dos_protection.slice/imunify360-dos-protection.service Slice=Imunify-dos_protection.slice NoNewPrivileges=true # Daemon opens NETLINK_NETFILTER for conntrack events (cmd/srv/server.go) # and sets NETLINK_LISTEN_ALL_NSID to monitor all network namespaces. # The NETLINK_LISTEN_ALL_NSID setsockopt is gated on CAP_NET_BROADCAST # (kernel 5.14.0+ af_netlink.c) in init_user_ns — without it the daemon # crash-loops on "setsockopt: operation not permitted" before reaching # "Daemon is ready." (verified live on CL9 + cPanel via strace bisect). CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BROADCAST CAP_KILL # NoNewPrivileges=true disables the kernel's UID-0 effective-capability # raise on exec, so even this unit's own ExecStart= binary needs # AmbientCapabilities= to start with effective != empty. Without it, # socket(AF_NETLINK, *, NETLINK_NETFILTER) returns EPERM at startup. AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BROADCAST CAP_KILL ProtectSystem=full ProtectHome=yes PrivateTmp=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK [Install] WantedBy=multi-user.target
Kaydet
Ctrl+S ile kaydet