From 20445725bc053cb41a0d1dc67dc2582daa614763 Mon Sep 17 00:00:00 2001
From: Aquila Macedo <aquilamacedo@riseup.net>
Date: Wed, 11 Mar 2026 20:13:48 -0300
Subject: [PATCH] systemd: protect cgroups in unit templates

Set ProtectControlGroups=true in mariadb.service and mariadb@.service to
make /sys/fs/cgroup read-only for the service.

Improves systemd-analyze security while keeping auth_pam (PAMv2)
working.
---
 support-files/mariadb.service.in  | 3 +++
 support-files/mariadb@.service.in | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 16c905cdd6252..e02584ff24795 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -59,6 +59,9 @@ ProtectSystem=full
 # Doesn't yet work properly with SELinux enabled
 # NoNewPrivileges=true
 
+# Restrict modifications of cgroups from the MariaDB service context.
+ProtectControlGroups=true
+
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index 3fd37c38862cb..5f16821835cf7 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -190,6 +190,9 @@ ProtectSystem=full
 # (https://github.com/systemd/systemd/issues/3845)
 # NoNewPrivileges=true
 
+# Restrict modifications of cgroups from the MariaDB service context.
+ProtectControlGroups=true
+
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true