From b5b0131c49a3cf3afa0e4071d78935e2c8df4140 Mon Sep 17 00:00:00 2001
From: OniriCorpe <oniricorpe@disroot.org>
Date: Sun, 24 Dec 2023 23:23:29 +0100
Subject: [PATCH] hardening systemd security

---
 conf/systemd.service | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index 7705193..939a604 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -15,5 +15,33 @@ Restart=always
 RestartSec=10
 #EnvironmentFile=-/etc/sysconfig/AdGuardHome
 
+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=no
+PrivateTmp=yes
+PrivateDevices=no
+RestrictNamespaces=no
+RestrictRealtime=no
+DevicePolicy=closed
+ProtectClock=no
+ProtectHostname=no
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=no
+ProtectKernelTunables=no
+LockPersonality=no
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target