From 143b4159414697c038b2166b2f83155e865a25cb Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Thu, 19 May 2022 19:21:19 +0100
Subject: [PATCH] More secure systemd settings

---
 README.md             | 21 +++++++++++++++++++++
 deploy/i2p            | 21 +++++++++++++++++++++
 deploy/onion          | 21 +++++++++++++++++++++
 gemini/EN/install.gmi | 22 +++++++++++++++++++++-
 website/EN/index.html | 20 ++++++++++++++++++++
 5 files changed, 104 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bfaeedb3c..566cee0ab 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,27 @@ Environment=USER=epicyon
 Environment=PYTHONUNBUFFERED=true
 Restart=always
 StandardError=syslog
+CPUQuota=80%
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectHostname=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+PrivateTmp=true
+PrivateUsers=true
+PrivateDevices=true
+PrivateIPC=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target
diff --git a/deploy/i2p b/deploy/i2p
index 1fc4ad465..02d728eba 100755
--- a/deploy/i2p
+++ b/deploy/i2p
@@ -218,6 +218,27 @@ echo 'Creating Epicyon daemon'
   echo 'Environment=PYTHONUNBUFFERED=true';
   echo 'Restart=always';
   echo 'StandardError=syslog';
+  echo 'CPUQuota=80%';
+  echo 'ProtectHome=true';
+  echo 'ProtectKernelTunables=true';
+  echo 'ProtectKernelModules=true';
+  echo 'ProtectControlGroups=true';
+  echo 'ProtectKernelLogs=true';
+  echo 'ProtectHostname=true';
+  echo 'ProtectClock=true';
+  echo 'ProtectProc=invisible';
+  echo 'ProcSubset=pid';
+  echo 'PrivateTmp=true';
+  echo 'PrivateUsers=true';
+  echo 'PrivateDevices=true';
+  echo 'PrivateIPC=true';
+  echo 'MemoryDenyWriteExecute=true';
+  echo 'NoNewPrivileges=true';
+  echo 'LockPersonality=true';
+  echo 'RestrictRealtime=true';
+  echo 'RestrictSUIDSGID=true';
+  echo 'RestrictNamespaces=true';
+  echo 'SystemCallArchitectures=native';
   echo '';
   echo '[Install]';
   echo 'WantedBy=multi-user.target'; } > "/etc/systemd/system/${username}.service"
diff --git a/deploy/onion b/deploy/onion
index 60a354fe3..8386e467f 100755
--- a/deploy/onion
+++ b/deploy/onion
@@ -137,6 +137,27 @@ echo 'Creating Epicyon daemon'
   echo 'Environment=PYTHONUNBUFFERED=true';
   echo 'Restart=always';
   echo 'StandardError=syslog';
+  echo 'CPUQuota=80%';
+  echo 'ProtectHome=true';
+  echo 'ProtectKernelTunables=true';
+  echo 'ProtectKernelModules=true';
+  echo 'ProtectControlGroups=true';
+  echo 'ProtectKernelLogs=true';
+  echo 'ProtectHostname=true';
+  echo 'ProtectClock=true';
+  echo 'ProtectProc=invisible';
+  echo 'ProcSubset=pid';
+  echo 'PrivateTmp=true';
+  echo 'PrivateUsers=true';
+  echo 'PrivateDevices=true';
+  echo 'PrivateIPC=true';
+  echo 'MemoryDenyWriteExecute=true';
+  echo 'NoNewPrivileges=true';
+  echo 'LockPersonality=true';
+  echo 'RestrictRealtime=true';
+  echo 'RestrictSUIDSGID=true';
+  echo 'RestrictNamespaces=true';
+  echo 'SystemCallArchitectures=native';
   echo '';
   echo '[Install]';
   echo 'WantedBy=multi-user.target'; } > "/etc/systemd/system/${username}.service"
diff --git a/gemini/EN/install.gmi b/gemini/EN/install.gmi
index a353c5b47..46c91c699 100644
--- a/gemini/EN/install.gmi
+++ b/gemini/EN/install.gmi
@@ -47,6 +47,26 @@ Paste the following:
     Restart=always
     StandardError=syslog
     CPUQuota=80%
+    ProtectHome=true
+    ProtectKernelTunables=true
+    ProtectKernelModules=true
+    ProtectControlGroups=true
+    ProtectKernelLogs=true
+    ProtectHostname=true
+    ProtectClock=true
+    ProtectProc=invisible
+    ProcSubset=pid
+    PrivateTmp=true
+    PrivateUsers=true
+    PrivateDevices=true
+    PrivateIPC=true
+    MemoryDenyWriteExecute=true
+    NoNewPrivileges=true
+    LockPersonality=true
+    RestrictRealtime=true
+    RestrictSUIDSGID=true
+    RestrictNamespaces=true
+    SystemCallArchitectures=native
 
     [Install]
     WantedBy=multi-user.target
@@ -135,7 +155,7 @@ And paste the following:
             proxy_request_buffering off;
             proxy_buffering off;
             proxy_pass http://localhost:7156;
-	    tcp_nodelay on;
+            tcp_nodelay on;
         }
     }
 
diff --git a/website/EN/index.html b/website/EN/index.html
index 359127ac2..65a2bf00c 100644
--- a/website/EN/index.html
+++ b/website/EN/index.html
@@ -1378,6 +1378,26 @@
       Restart=always<br>
       StandardError=syslog<br>
       CPUQuota=80%<br>
+      ProtectHome=true<br>
+      ProtectKernelTunables=true<br>
+      ProtectKernelModules=true<br>
+      ProtectControlGroups=true<br>
+      ProtectKernelLogs=true<br>
+      ProtectHostname=true<br>
+      ProtectClock=true<br>
+      ProtectProc=invisible<br>
+      ProcSubset=pid<br>
+      PrivateTmp=true<br>
+      PrivateUsers=true<br>
+      PrivateDevices=true<br>
+      PrivateIPC=true<br>
+      MemoryDenyWriteExecute=true<br>
+      NoNewPrivileges=true<br>
+      LockPersonality=true<br>
+      RestrictRealtime=true<br>
+      RestrictSUIDSGID=true<br>
+      RestrictNamespaces=true<br>
+      SystemCallArchitectures=native<br>      
       <br>
       [Install]<br>
       WantedBy=multi-user.target