From f9abf64a16beb201d6b87ee98e2dc8b1079e6dec Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>
Date: Fri, 21 Sep 2018 16:10:22 +0200
Subject: [PATCH] Improve systemd protections

---
 README.md            | 2 +-
 conf/systemd.service | 7 +++++++
 manifest.json        | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1dcaa96..6a680e7 100644
--- a/README.md
+++ b/README.md
@@ -25,10 +25,10 @@ Password and other usefull information will be sent to you after installation.
 
 * to be confirmed
   * [x] ARM support
+  * [x] Improve systemd protection
 
 * to be added:
   * [ ] Improve log file and add logrotate
-  * [ ] Improve systemd protection (see: https://github.com/YunoHost-Apps/kresus_ynh/issues/20)
 
 ## Links
 
diff --git a/conf/systemd.service b/conf/systemd.service
index 7f0e148..2ccf9d4 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -10,6 +10,13 @@ Type=forking
 ExecStart=/usr/sbin/murmurd -ini __FINALPATH__/mumble-server.ini
 PIDFile=/var/run/mumble-server/__APP__.pid
 ExecReload=/bin/kill -s HUP $MAINPID
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ReadWritePaths=__FINALPATH__ /var/log/mumble-server /var/run/mumble-server
 
 [Install]
 WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index 3f377c7..c8cb7e0 100644
--- a/manifest.json
+++ b/manifest.json
@@ -15,7 +15,7 @@
     "requirements": {
         "yunohost": ">= 3.1.0"
     },
-    "version": "1.2.8~ynh4",
+    "version": "1.2.8~ynh5",
     "multi_instance": true,
     "services": [
     ],