From 9b6b9cca3d7b1c7e2575f72f3ee23b1512a7e0c1 Mon Sep 17 00:00:00 2001
From: Marc <mail@lpcvoid.com>
Date: Sat, 15 Jan 2022 11:03:51 +0100
Subject: [PATCH] systemd-security: add some easy wins

We can tighten security by adding the following to
the systemd service file:

* NoNewPrivileges: should never be needed
* DevicePolicy: only basics required
* PrivateDevices: only needs mounted stuff, never devs
* ProtectSystem: no need to change boot
* RestrictAddressFamilies: INET, UNIX only

Signed-off-by: Marc <mail@lpcvoid.com>
---
 init/sftpgo.service | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/init/sftpgo.service b/init/sftpgo.service
index f5bbfe15..085c2405 100644
--- a/init/sftpgo.service
+++ b/init/sftpgo.service
@@ -17,6 +17,11 @@ KillMode=mixed
 PrivateTmp=true
 Restart=always
 RestartSec=10s
+NoNewPrivileges=yes
+PrivateDevices=yes
+DevicePolicy=closed
+ProtectSystem=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 
 [Install]
 WantedBy=multi-user.target