add additional protections to the management daemon's runtime environment

2025-04-03 00:07:05 +00:00 · 2022-09-18 15:43:10 -04:00 · 2022-09-18 15:43:10 -04:00 · 603b716ac2
commit 603b716ac2
parent 5e1dcc933f
2 changed files with 11 additions and 0 deletions
--- a/conf/mailinabox.service
+++ b/conf/mailinabox.service
@ -5,6 +5,16 @@ After=multi-user.target
 [Service]
 Type=idle
 IgnoreSIGPIPE=False
+ProtectSystem=yes
+ProtectHome=read-only
+ReadWritePaths=STORAGE_ROOT
+PrivateDevices=yes
+PrivateNetwork=no
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+SyslogIdentifier=mailinabox
 ExecStart=/usr/local/lib/mailinabox/start

 [Install]
--- a/setup/management.sh
+++ b/setup/management.sh
@ -109,6 +109,7 @@ exec gunicorn -b localhost:10222 -w 1 wsgi:app
 EOF
 chmod +x $inst_dir/start
 cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
+sed -i "s|STORAGE_ROOT|$STORAGE_ROOT|g" /lib/systemd/system/mailinabox.service
 hide_output systemctl link -f /lib/systemd/system/mailinabox.service
 hide_output systemctl daemon-reload
 hide_output systemctl enable mailinabox.service