From a0f20ebc41dd8ebd8bc89f6f6d90e1b098486939 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Tue, 31 Jan 2023 12:25:06 +0100
Subject: [PATCH] Update systemd.service

---
 conf/systemd.service | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index 1417126..cdbdbcc 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -11,5 +11,34 @@ WorkingDirectory=__FINALPATH__/live/
 ExecStart=__FINALPATH__/live/galene -http "127.0.0.1:__PORT__" -insecure -turn __PUBLIC_IP4__:__TURN_PORT__ -udp-range 49152-65535 -groups __DATADIR__/groups -recordings __DATADIR__/recordings  -data __FINALPATH__/live/data/
 LimitNOFILE=65536
 
+# various hardening options
+ReadWritePaths=/var/lib/galene/recordings
+CapabilityBoundingSet=
+AmbientCapabilities=
+PrivateTmp=yes
+PrivateDevices=yes
+DevicePolicy=closed
+ProtectSystem=strict
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectClock=yes
+NoNewPrivileges=yes
+MountFlags=private
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+KeyringMode=private
+MemoryDenyWriteExecute=yes
+RemoveIPC=yes
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @timer @resources @privileged @pkey @obsolete @setuid
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+UMask=0077
+
 [Install]
 WantedBy=multi-user.target