From 3c64fb639334065b5b7d2038d8f542c5da42abb5 Mon Sep 17 00:00:00 2001
From: asonix <asonix@asonix.dog>
Date: Mon, 10 Jul 2023 12:50:15 -0500
Subject: [PATCH] Add hardening configuration to example unit file

---
 systemd/pict-rs.service | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/systemd/pict-rs.service b/systemd/pict-rs.service
index 81649a8..14b944d 100644
--- a/systemd/pict-rs.service
+++ b/systemd/pict-rs.service
@@ -12,5 +12,26 @@ Environment="PICTRS__MEDIA__FORMAT=avif"
 Environment="PICTRS__REPO__PATH=/var/lib/pict-rs/sled"
 Environment="PICTRS__REPO__EXPORT_PATH=/var/lib/pict-rs/sled"
 Environment="PICTRS__STORE__PATH=/var/lib/pict-rs/files"
+
+# Replace with the path to your installation of pict-rs
 ExecStart=/usr/local/bin/pict-rs run
 Restart=on-failure
+
+# Hardening, taken from user cablepick on matrix
+#
+# CAP_DAC_OVERRIDE - bypass file read, write, execute permission checks
+# CAP_KILL - bypass permission checks for sending signals
+# CAP_SYS_ADMIN - does a lot, can probably be replaced with more fine-grained capabilities
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_KILL CAP_SYS_ADMIN
+# Makes unique /tmp folder for pict-rs, separate from system /tmp
+PrivateTmp=true
+# Makes /usr, /boot, /efi , and /etc read-only for pict-rs
+# Could maybe be replaced with ProtectSystem=strict if ReadWritePaths is set to /var/lib/pict-rs
+ProtectSystem=full
+# Makes /home and /root directories appear empty to pict-rs
+ProtectHome=true
+# Only useful if running as non-root
+RemoveIPC=true
+
+[Install]
+WantedBy=multi-user.target