Merge tag 'v0.19.21'

release v0.19.21

3 files changed, 31 insertions, 0 deletions

diff --git a/systemd/mpd.service.in b/systemd/system/mpd.service.in
index 7b0218bf2..7b0218bf2 100644
--- a/systemd/mpd.service.in
+++ b/systemd/system/mpd.service.in
diff --git a/systemd/mpd.socket b/systemd/system/mpd.socket
index c4692592c..c4692592c 100644
--- a/systemd/mpd.socket
+++ b/systemd/system/mpd.socket
diff --git a/systemd/user/mpd.service.in b/systemd/user/mpd.service.in
new file mode 100644
index 000000000..12b814c2d
--- /dev/null
+++ b/systemd/user/mpd.service.in
@@ -0,0 +1,31 @@
+[Unit]
+Description=Music Player Daemon
+Documentation=man:mpd(1) man:mpd.conf(5)
+After=network.target sound.target
+
+[Service]
+Type=notify
+ExecStart=@prefix@/bin/mpd --no-daemon
+
+# allow MPD to use real-time priority 50
+LimitRTPRIO=50
+LimitRTTIME=infinity
+
+# disallow writing to /usr, /bin, /sbin, ...
+ProtectSystem=yes
+
+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
+# Note that "ProtectKernelModules=yes" is missing in the user unit
+# because systemd 232 is unable to reduce its own capabilities
+# ("Failed at step CAPABILITIES spawning /usr/bin/mpd: Operation not
+# permitted")
+
+[Install]
+WantedBy=default.target