From 3c5e80832d6218807e0f5bdc6ab9d8a0ebed3ed6 Mon Sep 17 00:00:00 2001
From: Sven Sager <akira@narux.de>
Date: Thu, 12 Sep 2024 15:59:05 +0200
Subject: [PATCH] feat: Use systemd sandboxing for daemon process

The server process is limited to certain locations via the sandboxing of
systemd. These restrictions also apply to the control programs and
their specified users.
---
 data/lib/systemd/revpipyload.service | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/data/lib/systemd/revpipyload.service b/data/lib/systemd/revpipyload.service
index 1883512..c3d807e 100644
--- a/data/lib/systemd/revpipyload.service
+++ b/data/lib/systemd/revpipyload.service
@@ -9,5 +9,17 @@ PIDFile=/var/run/revpipyload.pid
 ExecStart=/usr/share/revpipyload/revpipyloadd -d $DAEMON_OPTS
 ExecReload=/bin/kill -HUP $MAINPID
 
+# systemd sandboxing process
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+# Allow write operations to the following destinations
+ReadWritePaths=/dev/piControl0 /etc/revpipyload/ /etc/revpi/config.rsc /home/ /var/lib/revpipyload/ /var/log/ /var/run/
+
+# Restrict file system access to the following directories
+InaccessiblePaths=/boot /root
+
 [Install]
 WantedBy=multi-user.target