From 155125a5bf8c6217eb9a4f80f337e4058c75abdb Mon Sep 17 00:00:00 2001
From: analotia <analotia@i2pmail.org>
Date: Fri, 18 Sep 2020 18:20:05 +0300
Subject: [PATCH] more hardening

---
 contrib/i2pd.service | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/contrib/i2pd.service b/contrib/i2pd.service
index 662a4cb0..b5310809 100644
--- a/contrib/i2pd.service
+++ b/contrib/i2pd.service
@@ -35,6 +35,7 @@ LimitNOFILE=65536
 NoNewPrivileges=yes
 PrivateTmp=yes
 PrivateUsers=true
+DevicePolicy=closed
 PrivateDevices=yes
 ProtectHome=yes
 ProtectSystem=full
@@ -46,7 +47,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_INET AF_INET6
-RestrictNamespaces=cgroup ipc mnt pid user uts
+RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 RemoveIPC=true
@@ -55,6 +56,11 @@ ReadWriteDirectories=-/var/lib/i2pd
 ReadWriteDirectories=-/var/log/i2pd
 ReadWriteDirectories=-/run
 CapabilityBoundingSet=
+UMask=0077
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
 
 [Install]
 WantedBy=multi-user.target