From 89d2085c692d67d3a0f505b06950aaa64d8b21a6 Mon Sep 17 00:00:00 2001
From: Enno G <egotthold@suse.de>
Date: Wed, 24 Nov 2021 20:28:46 +0100
Subject: [PATCH] Add SystemD hardening (#1720)

* Add SystemD hardening

Co-authored-by: abraunegg <alex.braunegg@gmail.com>
---
 contrib/systemd/onedrive.service.in  | 11 +++++++++++
 contrib/systemd/onedrive@.service.in | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/contrib/systemd/onedrive.service.in b/contrib/systemd/onedrive.service.in
index 366fa6e2..a37103fb 100644
--- a/contrib/systemd/onedrive.service.in
+++ b/contrib/systemd/onedrive.service.in
@@ -5,6 +5,17 @@ After=network-online.target
 Wants=network-online.target
 
 [Service]
+# Commented out hardenings are disabled because they don't work out of the box.
+# If you know what you are doing please try to enable them.
+ProtectSystem=full
+#PrivateDevices=true
+ProtectHostname=true
+#ProtectClock=true
+ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 ExecStart=@prefix@/bin/onedrive --monitor
 Restart=on-failure
 RestartSec=3
diff --git a/contrib/systemd/onedrive@.service.in b/contrib/systemd/onedrive@.service.in
index be2e546c..4d32859b 100644
--- a/contrib/systemd/onedrive@.service.in
+++ b/contrib/systemd/onedrive@.service.in
@@ -5,6 +5,17 @@ After=network-online.target
 Wants=network-online.target
 
 [Service]
+# Commented out hardenings are disabled because they don't work out of the box.
+# If you know what you are doing please try to enable them.
+ProtectSystem=full
+#PrivateDevices=true
+ProtectHostname=true
+#ProtectClock=true
+ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 ExecStart=@prefix@/bin/onedrive --monitor --confdir=/home/%i/.config/onedrive
 User=%i
 Group=users