From ae73a9aab338cba9eb0e275f1270d2ee25947c93 Mon Sep 17 00:00:00 2001
From: Dante <thardev@users.noreply.github.com>
Date: Sun, 19 Jun 2022 17:48:17 +0100
Subject: [PATCH] Add systemd recommended hardening

---
 conf/systemd.service | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index b3aad5a..1c4fd5e 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -11,5 +11,27 @@ ExecStart=/opt/yunohost/__APP__/mautrix-whatsapp -c=/opt/yunohost/__APP__/config
 Restart=always
 RestartSec=3
 
+# Optional hardening to improve security
+ReadWritePaths=/opt/mautrix-whatsapp
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=true
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+ProtectClock=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
 [Install]
 WantedBy=multi-user.target