From ac9568c48b353e23706c9f2d8e09d9a9d091f866 Mon Sep 17 00:00:00 2001
From: Tom Ryder <tom@sanctum.geek.nz>
Date: Wed, 24 Jun 2020 00:59:04 +1200
Subject: Add hardening to Newsboat

---
 newsboat/systemd/user/reload-newsboat.service | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'newsboat')

diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service
index c1e5fab9..24cda424 100644
--- a/newsboat/systemd/user/reload-newsboat.service
+++ b/newsboat/systemd/user/reload-newsboat.service
@@ -8,3 +8,21 @@ Type=oneshot
 LogsDirectory=newsboat
 LogsDirectoryMode=0700
 ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=6
+# Hardening
+KeyringMode=private
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+RestrictAddressFamilies=AF_UNIX
+RestrictAddressFamilies=~AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077
+# Slowing
+Nice=10
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
-- 
cgit v1.2.3