From f1ec6a6c85d145d56611ea871a2a50d5168b0b63 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Wed, 11 Nov 2020 19:54:27 +0100
Subject: [PATCH] Add RestrictAddressFamilies and SystemCallFilter

---
 conf/systemd.service | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/conf/systemd.service b/conf/systemd.service
index d0ddbf0..ca2ed1a 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -16,6 +16,7 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1
 NoNewPrivileges=yes
 PrivateTmp=yes
 PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 DevicePolicy=closed
@@ -24,7 +25,7 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 LockPersonality=yes
-
+SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
 
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html