From 297a3cf904f3d95ceaed64b57713997b2b285f87 Mon Sep 17 00:00:00 2001
From: Yurii Izorkin <izorkin@elven.pw>
Date: Wed, 24 Mar 2021 12:46:13 +0300
Subject: templates/systemd/mastodon: enable sandbox mode (#15937)

---
 dist/mastodon-streaming.service | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'dist/mastodon-streaming.service')

diff --git a/dist/mastodon-streaming.service b/dist/mastodon-streaming.service
index c324fccf4..1443ca1c8 100644
--- a/dist/mastodon-streaming.service
+++ b/dist/mastodon-streaming.service
@@ -12,6 +12,33 @@ Environment="STREAMING_CLUSTER_NUM=1"
 ExecStart=/usr/bin/node ./streaming
 TimeoutSec=15
 Restart=always
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @reboot @resources @setuid @swap
 
 [Install]
 WantedBy=multi-user.target
-- 
cgit