From 8ecf9e90b9c7ce6eb4cf3243a9c77abc43a85e83 Mon Sep 17 00:00:00 2001
From: s3krit <pugh@s3kr.it>
Date: Wed, 16 Sep 2020 20:20:34 +0100
Subject: [PATCH] Improve security of polkadot.service

This additional config is based on the output of `systemd-analyze security polkadot.service`. We recently added [our own](https://github.com/paritytech/polkadot/blob/master/scripts/packaging/polkadot.service) polkadot.service file in the polkadot repo and spent a little time researching which sandboxing and namespacing options we could take advantage of. Discussion for that PR is [here](https://github.com/paritytech/polkadot/pull/1676#discussion_r484540568).
---
 .../templates/polkadot.service.j2             | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/ansible/roles/polkadot-validator/templates/polkadot.service.j2 b/ansible/roles/polkadot-validator/templates/polkadot.service.j2
index e106aa75..e6053a00 100644
--- a/ansible/roles/polkadot-validator/templates/polkadot.service.j2
+++ b/ansible/roles/polkadot-validator/templates/polkadot.service.j2
@@ -30,6 +30,27 @@ ExecStart=/usr/local/bin/polkadot \
   {% endif %}
 
 Restart=always
+CapabilityBoundingSet=
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@clock @module @mount @reboot @swap @privileged
+UMask=0027
 
 [Install]
 WantedBy=multi-user.target