From 0a58428de6096f3222dd30d1a1f186150c25f4f2 Mon Sep 17 00:00:00 2001
From: shibayashi <shibayashi@cypherpunk.observer>
Date: Thu, 25 Oct 2018 00:37:31 +0200
Subject: [PATCH] Add some security related directives to the systemd service
 example

---
 installation/pleroma.service | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/installation/pleroma.service b/installation/pleroma.service
index fd4180985..e410764f3 100644
--- a/installation/pleroma.service
+++ b/installation/pleroma.service
@@ -11,5 +11,15 @@ ExecReload=/bin/kill $MAINPID
 KillMode=process
 Restart=on-failure
 
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
+PrivateTmp=true
+; This makes /usr, /boot, /etc read-only.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve()
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target
-- 
GitLab