Harden the aurweb tuvotereminder service

This service only requires MySQL access and ability to submit an email.

Harden the aurweb tuvotereminder service
This service only requires MySQL access and ability to submit an email.
501f2adc · Jelle van der Waa · 9a831e39 · 501f2adc
Verified Commit 501f2adc authored Jan 26, 2021 by Jelle van der Waa 🚧
--- a/roles/aurweb/templates/aurweb-tuvotereminder.service.j2
+++ b/roles/aurweb/templates/aurweb-tuvotereminder.service.j2
@@ -7,3 +7,27 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-tuvotereminder
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native