From 4d747ec9f76b56fd446d09a97dc6bbf110566727 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alex@millerson.name>
Date: Tue, 11 Feb 2025 18:21:54 +0300
Subject: [PATCH] hardening service
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
 deployments/systemd/teleirc.sysusers |  1 -
 deployments/systemd/teleirc@.service | 28 ++++++++++++++++++++++++++--
 2 files changed, 26 insertions(+), 3 deletions(-)
 delete mode 100644 deployments/systemd/teleirc.sysusers

diff --git a/deployments/systemd/teleirc.sysusers b/deployments/systemd/teleirc.sysusers
deleted file mode 100644
index f25c7d1d4088..000000000000
--- a/deployments/systemd/teleirc.sysusers
+++ /dev/null
@@ -1 +0,0 @@
-u teleirc - "TeleIRC Service"
diff --git a/deployments/systemd/teleirc@.service b/deployments/systemd/teleirc@.service
index 17bb19a50001..36acacac7f28 100644
--- a/deployments/systemd/teleirc@.service
+++ b/deployments/systemd/teleirc@.service
@@ -4,9 +4,33 @@ Requires=network.target
 After=multi-user.target
 
 [Service]
+DynamicUser=true
+LoadCredential=%i:/etc/teleirc/%i
+AmbientCapabilities=
+CapabilityBoundingSet=
+RestrictNamespaces=yes
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectKernelTunables=yes
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+PrivateDevices=yes
+PrivateUsers=yes
+SystemCallArchitectures=native
+ProtectClock=yes
+UMask=7177
 Type=simple
-User=teleirc
-ExecStart=/usr/local/bin/teleirc -conf /etc/teleirc/%i
+ExecStart=/usr/bin/teleirc -conf %d/%i
 Restart=always
 RestartSec=60
 
-- 
2.41.0