From 0a9ef9e047b8e59527c61b4d6e31f1a68dd68dcc Mon Sep 17 00:00:00 2001
From: Holger Brunn <mail@hunki-enterprises.com>
Date: Sat, 19 Aug 2023 12:02:04 +0200
Subject: [PATCH] Add sandboxing to systemd examples

---
 contrib/systemd/bookwyrm-scheduler.service | 22 +++++++++++++++++++++-
 contrib/systemd/bookwyrm-worker.service    | 22 +++++++++++++++++++++-
 contrib/systemd/bookwyrm.service           | 22 +++++++++++++++++++++-
 3 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/contrib/systemd/bookwyrm-scheduler.service b/contrib/systemd/bookwyrm-scheduler.service
index f3572f632..1d5b05214 100644
--- a/contrib/systemd/bookwyrm-scheduler.service
+++ b/contrib/systemd/bookwyrm-scheduler.service
@@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
 [Service]
 User=bookwyrm
 Group=bookwyrm
-WorkingDirectory=/opt/bookwyrm/
+WorkingDirectory=/opt/bookwyrm
 ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
 StandardOutput=journal
 StandardError=inherit
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run /opt
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=/opt/bookwyrm
+BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
 
 [Install]
 WantedBy=multi-user.target
diff --git a/contrib/systemd/bookwyrm-worker.service b/contrib/systemd/bookwyrm-worker.service
index ebba8b6ca..b9406a66e 100644
--- a/contrib/systemd/bookwyrm-worker.service
+++ b/contrib/systemd/bookwyrm-worker.service
@@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
 [Service]
 User=bookwyrm
 Group=bookwyrm
-WorkingDirectory=/opt/bookwyrm/
+WorkingDirectory=/opt/bookwyrm
 ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
 StandardOutput=journal
 StandardError=inherit
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run /opt
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=/opt/bookwyrm
+BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
 
 [Install]
 WantedBy=multi-user.target
diff --git a/contrib/systemd/bookwyrm.service b/contrib/systemd/bookwyrm.service
index c7ebe26ec..6e9434aa3 100644
--- a/contrib/systemd/bookwyrm.service
+++ b/contrib/systemd/bookwyrm.service
@@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
 [Service]
 User=bookwyrm
 Group=bookwyrm
-WorkingDirectory=/opt/bookwyrm/
+WorkingDirectory=/opt/bookwyrm
 ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
 StandardOutput=journal
 StandardError=inherit
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run /opt
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=/opt/bookwyrm
+BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
 
 [Install]
 WantedBy=multi-user.target