From 762a606d446bebded56c0b30c47cba25bf38e1c7 Mon Sep 17 00:00:00 2001
From: ericgaspar <junk.eg@free.fr>
Date: Fri, 16 Apr 2021 23:31:33 +0200
Subject: [PATCH] Update systemd.service

---
 conf/systemd.service | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index 4e03a28..90a393f 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -11,5 +11,34 @@ Group=__APP__
 ExecStart=__FINALPATH__/galene -turn __PUBLIC_IPV4__:__TURN_PORT__
 LimitNOFILE=65536
 
+# various hardening options
+ReadWritePaths=/opt/yunohost/galene/recordings
+CapabilityBoundingSet=
+AmbientCapabilities=
+PrivateTmp=yes
+PrivateDevices=yes
+DevicePolicy=closed
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectClock=yes
+NoNewPrivileges=yes
+MountFlags=private
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+KeyringMode=private
+MemoryDenyWriteExecute=yes
+RemoveIPC=yes
+SystemCallArchitectures=native
+SystemCallFilter=~ madvise @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @timer @resources @privileged @pkey @obsolete @setuid
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+UMask=0077
+
 [Install]
 WantedBy=multi-user.target