Merge c449994e22 into 81053ccd82

Update README.md

README.md

@@ -95,6 +95,10 @@ By default, Log2Ram writes to disk every day. If you think this is too much, you
 OnCalendar=
 OnCalendar=Mon *-*-* 23:55:00
 ```
+
+Note: 
+The ``OnCalendar=`` is important because it disables all existing times (e.g. the default one) for log2ram.
+
 ... Or even disable it altogether with `systemctl disable log2ram-daily.timer`, if you instead prefer Log2Ram to be writing logs only on system stops/reboots.
 
 #### Compressor

log2ram-daily.service

@@ -4,3 +4,20 @@ After=log2ram.service
 
 [Service]
 ExecStart=/bin/systemctl reload log2ram.service
+
+# Sandboxing
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+PrivateDevices=true
+PrivateNetwork=true 
+  #May affect "Mail" in log2ram.conf.
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=strict
+ProtectHome=true 

log2ram.service

@@ -15,5 +15,25 @@ ExecReload=/usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
+# Sandboxing
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+PrivateDevices=true
+PrivateNetwork=true 
+  #May break "MAIL" in log2ram.conf if it points to non-local web address. 
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=true
+  # ALT: ProtectSystem=full # needs rw whitelisting for /var/hdd.log/ 
+ProtectHome=true 
+  #may cause breakage in situations wherein user has configured log2ram to also copy logs from $HOME. 
+  #can probably fix with systemctl edit to whitelist relevant dirs. See: ReadWritePaths=
+
 [Install]
 WantedBy=sysinit.target