From 4b8e1c2d7fa7d2260b144d32987b52e0df392fd2 Mon Sep 17 00:00:00 2001
From: Grégoire Duchêne <gduchene@awhk.org>
Date: Sun, 30 Jan 2022 14:38:43 +0000
Subject: Lock down systemd unit definition

---
 README.md                          |  4 ++++
 systemd/go-import-redirect.service | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/README.md b/README.md
index a3e6e4a..5412c96 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,10 @@ It is recommended to enable the companion systemd socket and customize
 it so systemd can start the service when needed and pass the socket to
 `go-import-redirect`.
 
+If you do not want to use socket activation, you must override the
+`IPAddressDeny` and `RestrictAddressFamilies` unit settings to
+appropriate values.
+
 Likewise, you must customize the service definition to pass the right
 flag values.
 
diff --git a/systemd/go-import-redirect.service b/systemd/go-import-redirect.service
index 38d8023..86f02a3 100644
--- a/systemd/go-import-redirect.service
+++ b/systemd/go-import-redirect.service
@@ -6,7 +6,34 @@ Description=go-import-redirect
 
 [Service]
 ExecStart=go-import-redirect
+
+CapabilityBoundingSet=
 DynamicUser=true
+IPAddressDeny=any
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=none
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target
-- 
cgit v1.2.3-70-g09d2