From 603b716ac22ac5e7f7cf0115efcfcf5941aae78b Mon Sep 17 00:00:00 2001
From: downtownallday <downtownallday@gmail.com>
Date: Sun, 18 Sep 2022 15:43:10 -0400
Subject: [PATCH] add additional protections to the management daemon's runtime
 environment

---
 conf/mailinabox.service | 10 ++++++++++
 setup/management.sh     |  1 +
 2 files changed, 11 insertions(+)

diff --git a/conf/mailinabox.service b/conf/mailinabox.service
index c1d98a03..fb5e9008 100644
--- a/conf/mailinabox.service
+++ b/conf/mailinabox.service
@@ -5,6 +5,16 @@ After=multi-user.target
 [Service]
 Type=idle
 IgnoreSIGPIPE=False
+ProtectSystem=yes
+ProtectHome=read-only
+ReadWritePaths=STORAGE_ROOT
+PrivateDevices=yes
+PrivateNetwork=no
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+SyslogIdentifier=mailinabox
 ExecStart=/usr/local/lib/mailinabox/start
 
 [Install]
diff --git a/setup/management.sh b/setup/management.sh
index 60a313c4..7c9a8647 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -109,6 +109,7 @@ exec gunicorn -b localhost:10222 -w 1 wsgi:app
 EOF
 chmod +x $inst_dir/start
 cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
+sed -i "s|STORAGE_ROOT|$STORAGE_ROOT|g" /lib/systemd/system/mailinabox.service
 hide_output systemctl link -f /lib/systemd/system/mailinabox.service
 hide_output systemctl daemon-reload
 hide_output systemctl enable mailinabox.service