From f54d8268edd511a6b199f891bcce30de21658bc0 Mon Sep 17 00:00:00 2001
From: Bruno Pagani <bruno.n.pagani@gmail.com>
Date: Sat, 21 May 2022 13:44:47 +0000
Subject: [PATCH] Harden systemd service

This is a sync with current ArchLinux file.
---
 README.md            |  2 +-
 README_fr.md         |  2 +-
 conf/systemd.service | 36 +++++++++++++++++++++++++++++-------
 manifest.json        |  2 +-
 4 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index a8bde23..2d5a746 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 Kresus is an open-source libre self-hosted personal finance manager. It allows you to safely track your banking history, check your overall balance and know exactly how you are spending money using categories!
 
 
-**Shipped version:** 0.18.1~ynh2
+**Shipped version:** 0.18.1~ynh3
 
 ## Screenshots
 
diff --git a/README_fr.md b/README_fr.md
index 31cd609..d71b229 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -17,7 +17,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 
 Kresus est un gestionnaire de finances personnelles gratuit et libre qui tourne sur votre serveur. Il récupère automatiquement et quotidiennement toutes vos nouvelles transactions bancaires et vous permet de les catégoriser, étudier via des graphiques, et établir un budget.
 
-**Version incluse :** 0.18.1~ynh2
+**Version incluse :** 0.18.1~ynh3
 
 ## Captures d'écran
 
diff --git a/conf/systemd.service b/conf/systemd.service
index 6b13e26..c7bc558 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -14,14 +14,36 @@ Restart=always
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=__APP__
+# /var/log is implied
+LogsDirectory=__APP__
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+LockPersonality=true
+#Not compatible with NodeJS
+#MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+#SecureBits=noroot-locked
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectHome=yes
-ProtectSystem=full
-ProtectControlGroups=yes
-ProtectKernelModules=yes
 # to allow this systemd service to use sendmail.
 # references:
 #  https://bugs.archlinux.org/task/57721
diff --git a/manifest.json b/manifest.json
index 2cda8d9..e06ddb5 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Personal finance manager",
         "fr": "Outil personnel de gestion de finances"
     },
-    "version": "0.18.1~ynh2",
+    "version": "0.18.1~ynh3",
     "url": "https://framagit.org/kresusapp/kresus",
     "upstream": {
         "license": "free",