From 67195a8e58e971e7baa8d7d0da6d1c130a42b019 Mon Sep 17 00:00:00 2001
From: undef <gitlab@undef.tools>
Date: Wed, 14 Apr 2021 03:48:00 +0000
Subject: [PATCH] d/service: Use systemd to sandbox eg25-manager

With eg25-manager directly interfacing with the untrusted modem and
potentially (MR !15) including libcurl for HTTP, sandboxing the daemon
significantly reduces the any post-exploit attack surface.
---
 debian/eg25-manager.service | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/debian/eg25-manager.service b/debian/eg25-manager.service
index 21030cd..3af1f99 100644
--- a/debian/eg25-manager.service
+++ b/debian/eg25-manager.service
@@ -6,6 +6,23 @@ Before=ModemManager.service
 Type=simple
 ExecStart=/usr/bin/eg25manager
 Restart=on-failure
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictSUIDSGID=true
+PrivateTmp=true
+ProtectedKernelModules=true
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+NoNewPrivileges=true
+CapabilityBoundingSet=
+ProtectProc=true
+ProtectDevices=true
+DeviceAllow=/dev/ttyS2
+LockPersonality=true
+ProtectClock=true
+ProtectKernelLog=true
 
 [Install]
 WantedBy=multi-user.target