From a4c991a499b01c52f024c1895103dd6c04dbce33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20K=C3=BCthe?= <m.k@mk16.de>
Date: Tue, 23 May 2023 08:57:58 +0200
Subject: [PATCH] systemd: harden service

Resolves #13, closes #16.
---
 extras/wg-netns@.service | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/extras/wg-netns@.service b/extras/wg-netns@.service
index 2f6262d..7aa5578 100644
--- a/extras/wg-netns@.service
+++ b/extras/wg-netns@.service
@@ -13,7 +13,35 @@ RemainAfterExit=yes
 
 WorkingDirectory=%E/wireguard
 ConfigurationDirectory=wireguard
-ConfigurationDirectoryMode=700
+ConfigurationDirectoryMode=0700
+ReadOnlyPaths=%E/wireguard
+ReadWritePaths=%E/netns
+
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
+LimitNOFILE=4096
+LimitNPROC=512
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=mnt net
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target