From faf1ca996c8bf1279e26d2068c4eca7ee39d1d4f Mon Sep 17 00:00:00 2001 From: aitbc Date: Wed, 15 Apr 2026 08:54:38 +0200 Subject: [PATCH] Remove restrictive systemd security settings across multiple services and add ProtectSystem=no for SQLite WAL mode compatibility - Remove ProtectSystem=strict and ReadWritePaths from agent-daemon, gpu, learning, marketplace, modality-optimization, monitor, multimodal, and openclaw services - Add ProtectSystem=no to coordinator-api, exchange-api, and explorer services to allow database writes for SQLite WAL mode - Retain NoNewPrivileges and ProtectHome security settings across all services --- systemd/aitbc-agent-daemon.service | 2 -- systemd/aitbc-coordinator-api.service | 3 +++ systemd/aitbc-exchange-api.service | 3 +++ systemd/aitbc-explorer.service | 3 +++ systemd/aitbc-gpu.service | 2 -- systemd/aitbc-learning.service | 2 -- systemd/aitbc-marketplace.service | 2 -- systemd/aitbc-modality-optimization.service | 2 -- systemd/aitbc-monitor.service | 2 -- systemd/aitbc-multimodal.service | 2 -- systemd/aitbc-openclaw.service | 2 -- 11 files changed, 9 insertions(+), 16 deletions(-) diff --git a/systemd/aitbc-agent-daemon.service b/systemd/aitbc-agent-daemon.service index 7f72dc66..f62efe3b 100644 --- a/systemd/aitbc-agent-daemon.service +++ b/systemd/aitbc-agent-daemon.service @@ -29,9 +29,7 @@ StandardError=journal # Security settings NoNewPrivileges=true PrivateTmp=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/var/lib/aitbc/data /var/lib/aitbc/keystore [Install] WantedBy=multi-user.target diff --git a/systemd/aitbc-coordinator-api.service b/systemd/aitbc-coordinator-api.service index 4ca56f7a..86eeb21c 100644 --- a/systemd/aitbc-coordinator-api.service +++ b/systemd/aitbc-coordinator-api.service @@ -14,5 +14,8 @@ RestartSec=5 StandardOutput=journal StandardError=journal +# Allow database writes for SQLite WAL mode +ProtectSystem=no + [Install] WantedBy=multi-user.target diff --git a/systemd/aitbc-exchange-api.service b/systemd/aitbc-exchange-api.service index c506ef47..2e378663 100644 --- a/systemd/aitbc-exchange-api.service +++ b/systemd/aitbc-exchange-api.service @@ -16,5 +16,8 @@ StandardOutput=journal StandardError=journal SyslogIdentifier=aitbc-exchange-api +# Allow database writes for SQLite WAL mode +ProtectSystem=no + [Install] WantedBy=multi-user.target diff --git a/systemd/aitbc-explorer.service b/systemd/aitbc-explorer.service index b6db7287..ae228eb0 100644 --- a/systemd/aitbc-explorer.service +++ b/systemd/aitbc-explorer.service @@ -15,5 +15,8 @@ StandardOutput=journal StandardError=journal SyslogIdentifier=aitbc-explorer +# Allow database writes for SQLite WAL mode +ProtectSystem=no + [Install] WantedBy=multi-user.target diff --git a/systemd/aitbc-gpu.service b/systemd/aitbc-gpu.service index 2702593e..aca8e87f 100644 --- a/systemd/aitbc-gpu.service +++ b/systemd/aitbc-gpu.service @@ -32,9 +32,7 @@ SyslogIdentifier=aitbc-marketplace # Production security NoNewPrivileges=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/var/lib/aitbc/data/marketplace /var/log/aitbc/marketplace # Production performance LimitNOFILE=65536 diff --git a/systemd/aitbc-learning.service b/systemd/aitbc-learning.service index 42029df6..e9819a6e 100644 --- a/systemd/aitbc-learning.service +++ b/systemd/aitbc-learning.service @@ -24,9 +24,7 @@ SyslogIdentifier=aitbc-adaptive-learning # Security NoNewPrivileges=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/home/oib/aitbc/apps/coordinator-api [Install] WantedBy=multi-user.target diff --git a/systemd/aitbc-marketplace.service b/systemd/aitbc-marketplace.service index 7099ae23..2590ba36 100644 --- a/systemd/aitbc-marketplace.service +++ b/systemd/aitbc-marketplace.service @@ -34,9 +34,7 @@ SyslogIdentifier=aitbc-marketplace-production # Production security NoNewPrivileges=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/var/lib/aitbc/data/marketplace /var/log/aitbc/production/marketplace # Production performance LimitNOFILE=65536 diff --git a/systemd/aitbc-modality-optimization.service b/systemd/aitbc-modality-optimization.service index 3035c0ee..a82dd2d8 100644 --- a/systemd/aitbc-modality-optimization.service +++ b/systemd/aitbc-modality-optimization.service @@ -25,9 +25,7 @@ SyslogIdentifier=aitbc-modality-optimization # Security NoNewPrivileges=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/opt/aitbc/apps/coordinator-api /opt/aitbc/venv [Install] WantedBy=multi-user.target diff --git a/systemd/aitbc-monitor.service b/systemd/aitbc-monitor.service index e6d8478c..379ba30c 100644 --- a/systemd/aitbc-monitor.service +++ b/systemd/aitbc-monitor.service @@ -26,9 +26,7 @@ SyslogIdentifier=aitbc-monitor # Production security NoNewPrivileges=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/var/lib/aitbc/data /var/log/aitbc # Production performance LimitNOFILE=65536 diff --git a/systemd/aitbc-multimodal.service b/systemd/aitbc-multimodal.service index 4866f5c6..c0b51820 100644 --- a/systemd/aitbc-multimodal.service +++ b/systemd/aitbc-multimodal.service @@ -25,9 +25,7 @@ SyslogIdentifier=aitbc-multimodal # Security NoNewPrivileges=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/opt/aitbc/apps/coordinator-api /opt/aitbc/venv [Install] WantedBy=multi-user.target diff --git a/systemd/aitbc-openclaw.service b/systemd/aitbc-openclaw.service index 36133c04..f2b5ac17 100644 --- a/systemd/aitbc-openclaw.service +++ b/systemd/aitbc-openclaw.service @@ -25,9 +25,7 @@ SyslogIdentifier=aitbc-openclaw-enhanced # Security NoNewPrivileges=true -ProtectSystem=strict ProtectHome=true -ReadWritePaths=/opt/aitbc/apps/coordinator-api /opt/aitbc/venv [Install] WantedBy=multi-user.target