From e7c2f416caa9500c84bd8fab7e6f1ab6fb631a8f Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Mon, 24 Jan 2022 15:04:41 +0100
Subject: [PATCH] Add hardening options to systemd unit

---
 bridges/python/setup/systemd.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/bridges/python/setup/systemd.md b/bridges/python/setup/systemd.md
index 5d72732..e48c07a 100644
--- a/bridges/python/setup/systemd.md
+++ b/bridges/python/setup/systemd.md
@@ -20,6 +20,25 @@
    ExecStart=/opt/mautrix-$bridge/bin/python -m mautrix_$bridge
    User=mautrix-$bridge
 
+   # Hardening
+   CapabilityBoundingSet = [ "" ];
+   LockPersonality = true;
+   PrivateTmp = true;
+   ProcSubset = "pid";
+   ProtectClock = true;
+   ProtectControlGroups = true;
+   ProtectHome = true;
+   ProtectHostname = true;
+   ProtectKernelLogs = true;
+   ProtectKernelModules = true;
+   ProtectKernelTunables = true;
+   ProtectProc = "invisible";
+   ProtectSystem = "strict";
+   RestrictNamespaces = true;
+   RestrictRealtime = true;
+   RestrictSUIDSGID = true;
+   SystemCallArchitectures = "native";
+
    [Install]
    WantedBy=multi-user.target
    ```