From 8855cd057415e0c1a8bae02825bdee33deded5c5 Mon Sep 17 00:00:00 2001
From: Morten Linderud <morten@linderud.pw>
Date: Tue, 30 Jun 2020 19:44:02 +0200
Subject: [PATCH] Service hardening

Signed-off-by: Morten Linderud <morten@linderud.pw>
---
 roles/bugbot/files/bugbot.service | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/roles/bugbot/files/bugbot.service b/roles/bugbot/files/bugbot.service
index 1170655f4..1775f220a 100644
--- a/roles/bugbot/files/bugbot.service
+++ b/roles/bugbot/files/bugbot.service
@@ -5,8 +5,14 @@ Description=The official Arch Linux IRC bugbot
 EnvironmentFile=/srv/bugbot/env
 ExecStart=/srv/bugbot/bugbot.py
 Restart=on-failure
-ProtectSystem=full
+ProtectSystem=strict
 DynamicUser=yes
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
 
 [Install]
-WantedBy=default.target
+WantedBy=multi-user.target
-- 
GitLab