From b12a52623b1fa1ce835cb4e6ec7fc1f93621af17 Mon Sep 17 00:00:00 2001
From: Sven Sager <akira@narux.de>
Date: Thu, 12 Sep 2024 15:59:05 +0200
Subject: [PATCH] feat: Use systemd sandboxing for daemon process

The server process is limited to certain locations via the sandboxing of
systemd. These restrictions also apply to the control programs and
their specified users.
---
 data/lib/systemd/revpipyload.service | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/data/lib/systemd/revpipyload.service b/data/lib/systemd/revpipyload.service
index 1883512..460d84c 100644
--- a/data/lib/systemd/revpipyload.service
+++ b/data/lib/systemd/revpipyload.service
@@ -9,5 +9,17 @@ PIDFile=/var/run/revpipyload.pid
 ExecStart=/usr/share/revpipyload/revpipyloadd -d $DAEMON_OPTS
 ExecReload=/bin/kill -HUP $MAINPID
 
+# systemd sandboxing process
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+# Allow write operations to the following destinations
+ReadWritePaths=/dev/piControl0 /etc/revpipyload/ /etc/revpi/config.rsc /home/ /var/lib/revpipyload/ /var/log/ /var/run/revpipyload.pid
+
+# Restrict file system access to the following directories
+InaccessiblePaths=/boot /root
+
 [Install]
 WantedBy=multi-user.target