From a0c06d6907b6c9715672b1075b1dacd4849fd241 Mon Sep 17 00:00:00 2001
From: ericgaspar <junk.eg@free.fr>
Date: Thu, 14 Apr 2022 10:36:19 +0200
Subject: [PATCH] Update systemd.service

---
 conf/systemd.service | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index de90501..65e0480 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -14,5 +14,27 @@ Environment=PORT=__PORT__
 EnvironmentFile=-__FINALPATH__/libreddit.conf
 ExecStart=__FINALPATH__/libreddit -a ${ADDRESS} -p ${PORT}
 
+# Hardening
+DeviceAllow=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service ~@privileged ~@resources
+UMask=0077
+
 [Install]
 WantedBy=multi-user.target