From 3122b3c2923f81509cf9918c8afb9265ba02b32e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Wed, 11 Jan 2023 00:01:24 +0100
Subject: [PATCH] Systemd

---
 conf/systemd.service | 47 +++++++++++++++++++++++++++++++-------------
 manifest.json        |  2 +-
 2 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/conf/systemd.service b/conf/systemd.service
index 09bd16c..321217d 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -16,21 +16,40 @@ StandardError=syslog
 SyslogIdentifier=__APP__
 Restart=always
 
-; Some security directives (inspired from peertube_ynh package)
-; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
 ProtectSystem=full
-; Sets up a new /dev mount for the process and only adds API pseudo devices
-; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
-; by default because it may not work on devices like the Raspberry Pi.
-PrivateDevices=false
-; Ensures that the service process and all its children can never gain new
-; privileges through execve().
-NoNewPrivileges=true
-; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
-; by this unit. Make sure that you do not depend on data inside these folders.
-ProtectHome=false
-; Drops the sys admin capability from the daemon.
-CapabilityBoundingSet=~CAP_SYS_ADMIN
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 
 [Install]
 WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index 3f539da..78cd3e9 100644
--- a/manifest.json
+++ b/manifest.json
@@ -23,7 +23,7 @@
       "url": "https://squeak.eauchat.org"
     },
     "requirements": {
-        "yunohost": ">= 4.3.0"
+        "yunohost": ">= 11.0.9"
     },
     "multi_instance": true,
     "services": [