From 4a006b2bddccf1523b638d3c09f31ead464ca88f Mon Sep 17 00:00:00 2001
From: Tom Ryder <tom@sanctum.geek.nz>
Date: Tue, 23 Jun 2020 22:43:36 +1200
Subject: Add hardening for systemd notify task

---
 systemd/user/notify-email@.service | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service
index 9293c423..bddee12a 100644
--- a/systemd/user/notify-email@.service
+++ b/systemd/user/notify-email@.service
@@ -4,3 +4,14 @@ Description=unit status mailer service for %i
 [Service]
 Type=oneshot
 ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u'
+# Hardening
+DevicePolicy=closed
+IPAddressDeny=any
+PrivateMounts=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectSystem=full
+RemoveIPC=true
+SystemCallErrorNumber=EPERM
+UMask=027
-- 
cgit v1.2.3