summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--conf/unit/afm-unit-debug.conf.in5
-rw-r--r--conf/unit/afm-unit.conf.in5
-rw-r--r--conf/unit/generate-unit-conf/service.inc5
3 files changed, 9 insertions, 6 deletions
diff --git a/conf/unit/afm-unit-debug.conf.in b/conf/unit/afm-unit-debug.conf.in
index 49eb826..6955fa2 100644
--- a/conf/unit/afm-unit-debug.conf.in
+++ b/conf/unit/afm-unit-debug.conf.in
@@ -137,12 +137,13 @@ SmackProcessLabel=User::App::{{:id}}
SuccessExitStatus=0 SIGKILL
User=%i
Slice=user-%i.slice
-#CapabilityBoundingSet=
+CapabilityBoundingSet=
#AmbientCapabilities=
{{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}}
{{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}}
-{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
{{^required-permission.urn:AGL:permission::public:syscall:clock}}SystemCallFilter=~@clock{{/required-permission.urn:AGL:permission::public:syscall:clock}}
+#{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
+SupplementaryGroups=display
%nl
WorkingDirectory=-/home/%i/app-data/{{:id}}
ExecStartPre=/bin/mkdir -p /home/%i/app-data/{{:id}}
diff --git a/conf/unit/afm-unit.conf.in b/conf/unit/afm-unit.conf.in
index 50fd957..353d83b 100644
--- a/conf/unit/afm-unit.conf.in
+++ b/conf/unit/afm-unit.conf.in
@@ -137,12 +137,13 @@ SmackProcessLabel=User::App::{{:id}}
SuccessExitStatus=0 SIGKILL
User=%i
Slice=user-%i.slice
-#CapabilityBoundingSet=
+CapabilityBoundingSet=
#AmbientCapabilities=
{{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}}
{{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}}
-{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
{{^required-permission.urn:AGL:permission::public:syscall:clock}}SystemCallFilter=~@clock{{/required-permission.urn:AGL:permission::public:syscall:clock}}
+#{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
+SupplementaryGroups=display
%nl
WorkingDirectory=-/home/%i/app-data/{{:id}}
ExecStartPre=/bin/mkdir -p /home/%i/app-data/{{:id}}
diff --git a/conf/unit/generate-unit-conf/service.inc b/conf/unit/generate-unit-conf/service.inc
index 961a262..59df916 100644
--- a/conf/unit/generate-unit-conf/service.inc
+++ b/conf/unit/generate-unit-conf/service.inc
@@ -70,13 +70,14 @@ SuccessExitStatus=0 SIGKILL
User=%i
Slice=user-%i.slice
-#CapabilityBoundingSet=
+CapabilityBoundingSet=
#AmbientCapabilities=
ON_PERM(:platform:no-oom, OOMScoreAdjust=-500)
ON_PERM(:partner:real-time, IOSchedulingClass=realtime)
-ON_PERM(:public:display, SupplementaryGroups=display)
ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock)
+#ON_PERM(:public:display, SupplementaryGroups=display)
+SupplementaryGroups=display
%nl
WorkingDirectory=-APP_DATA_DIR/{{:id}}