snowflake: run snowflake-proxy with procd-ujail
snowflake-proxy doesn't write any files
=> run in read-only rootfs environment
the process needs to read SSL certs but no other files
=> only exposed path is /etc/ssl/certificates (read-only)
running as unpriviledged user with no additional capabilities
=> set no-new-privs bit
By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
0f3d48a3784fb495ffdfe4a83f540ad42fab89df)
Signed-off-by: Nick Hainke <vincent@systemli.org>
projects / feed / packages.git / commit