From 5b8b41a0d081a337474ff448be6e114993aad4ea Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Sat, 30 Mar 2024 04:39:38 +0000
Subject: [PATCH] Sandbox chatmail-metadata

---
 .../service/chatmail-metadata.service.f       | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f b/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
index 419dd09d..0747ec3c 100644
--- a/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
+++ b/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
@@ -7,5 +7,41 @@ Restart=always
 RestartSec=30
 User=vmail
 
+# Make `systemd-analyze security` happy.
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
+UMask=0077
+
 [Install]
 WantedBy=multi-user.target