From a624cb6c15b8848ea3d5501d1113ebe281f368d2 Mon Sep 17 00:00:00 2001
From: Indrajit Raychaudhuri <irc@indrajit.com>
Date: Thu, 26 Dec 2024 17:23:50 -0600
Subject: [PATCH] systemd: Add systemd service settings for better security

This adds additional settings to improve the security
of 'ddclient.service'.

The settings are based on basic [systemd guidelines][1]
and other security-related [guide][2] and [roadmap][3].

[1]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2]: https://www.redhat.com/sysadmin/systemd-secure-services
[3]: https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity
---
 sample-etc_systemd.service | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/sample-etc_systemd.service b/sample-etc_systemd.service
index 8de0cb4..0d0b536 100644
--- a/sample-etc_systemd.service
+++ b/sample-etc_systemd.service
@@ -9,5 +9,31 @@ Environment=daemon_interval=5m
 ExecStart=/usr/bin/ddclient --daemon ${daemon_interval} --foreground
 Restart=on-failure
 
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~ @privileged @resources
+
+CapabilityBoundingSet=
+NoNewPrivileges=yes
+
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectProc=invisible
+ProtectClock=yes
+ProtectHostname=yes
+
+ProtectSystem=yes
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+MemoryDenyWriteExecute=true
+
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
 [Install]
 WantedBy=multi-user.target