Harden systemd service file

author: Leonardo Bishop <me@leonardobishop.net> 2025-07-27 15:13:31 +0100
committer: Leonardo Bishop <me@leonardobishop.net> 2025-07-27 15:13:31 +0100
commit: 67a9340a14f5d835d972a72a28702db31086dbbc (patch)
tree: 45a3d2b3730800f5d5faeaf31766faff5174034c /dist
parent: 8d46e4a0f51e23dacbe330bdc3b0b1f9b5b80bcf (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/dist/scrapbook.service b/dist/scrapbook.service
index c12ed45..a4871a9 100644
--- a/dist/scrapbook.service
+++ b/dist/scrapbook.service
@@ -7,5 +7,29 @@ Group=scrapbook
 Restart=always
 ExecStart=/usr/local/bin/scrapbook
 
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+TemporaryFileSystem=/var:ro /etc:ro
+BindReadOnlyPaths=/etc/scrapbook
+BindPaths=/var/lib/scrapbook
+NoExecPaths=/
+ExecPaths=/usr/local/bin/scrapbook
+
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectClock=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
 [Install]
 WantedBy=multi-user.target
author	Leonardo Bishop <me@leonardobishop.net>	2025-07-27 15:13:31 +0100
committer	Leonardo Bishop <me@leonardobishop.net>	2025-07-27 15:13:31 +0100
commit	67a9340a14f5d835d972a72a28702db31086dbbc (patch)
tree	45a3d2b3730800f5d5faeaf31766faff5174034c /dist
parent	8d46e4a0f51e23dacbe330bdc3b0b1f9b5b80bcf (diff)