From 9d275931508996ae803090d46cc83431b555a648 Mon Sep 17 00:00:00 2001
From: dadevel <dadevel@disroot.org>
Date: Thu, 31 Aug 2023 16:34:07 +0200
Subject: [PATCH] systemd: partially revert hardening

Remove some hardening options introduced with commit a4c991a. Fixes #20.
---
 extras/wg-netns@.service | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/extras/wg-netns@.service b/extras/wg-netns@.service
index 7aa5578..0f75429 100644
--- a/extras/wg-netns@.service
+++ b/extras/wg-netns@.service
@@ -14,8 +14,6 @@ RemainAfterExit=yes
 WorkingDirectory=%E/wireguard
 ConfigurationDirectory=wireguard
 ConfigurationDirectoryMode=0700
-ReadOnlyPaths=%E/wireguard
-ReadWritePaths=%E/netns
 
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
 LimitNOFILE=4096
@@ -23,19 +21,8 @@ LimitNPROC=512
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
-PrivateDevices=true
-PrivateMounts=true
-PrivateTmp=true
-ProcSubset=pid
 ProtectClock=true
-ProtectControlGroups=true
-ProtectHome=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectProc=noaccess
-ProtectSystem=strict
 RemoveIPC=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=mnt net