From 43f4951cf8d91671a1a9cf4e495edfd3641b41b5 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Sun, 20 Oct 2024 01:29:48 +0200
Subject: [PATCH] systemd hardening

---
 module.nix | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/module.nix b/module.nix
index 3e11613..47d1bb5 100644
--- a/module.nix
+++ b/module.nix
@@ -100,6 +100,44 @@ in
           ExecStart = "${lib.getExe cfg.package} ${lib.cli.toGNUCommandLineShell { } cfg.settings}";
           Restart = "always";
           RestartSec = 3;
+
+          IPAddressDeny =
+            lib.optionals (lib.elem cfg.settings.host [ null "localhost" "127.0.0.1" ]) [ "any" ];
+
+          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+
+          AmbientCapabilities = [ "" ];
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          # Might work, but wouldn't bet on it with embedded scripting lang in mpv
+          MemoryDenyWriteExecute = false;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = "tmpfs";
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          UMask = "0077";
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+            "~@resources"
+          ];
         };
       };
     })