From b4e00d2574f15935ffb4b0d5650a6e53b4c60bcb Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 21 Dec 2019 14:48:06 -0500
Subject: [PATCH] deluge: Use systemd sandboxing features

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Remove directive for unused logs directory]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 actions/deluge                    | 14 ++++++++++++++
 plinth/modules/deluge/__init__.py |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/actions/deluge b/actions/deluge
index ee7e6bf7b..c35750d05 100755
--- a/actions/deluge
+++ b/actions/deluge
@@ -38,6 +38,20 @@ ExecStart=bash -c "/usr/bin/deluge-web --base=deluge $(/usr/bin/deluge-web --ver
 Restart=on-failure
 User=debian-deluged
 Group=debian-deluged
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
+StateDirectory=deluged
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target
diff --git a/plinth/modules/deluge/__init__.py b/plinth/modules/deluge/__init__.py
index 733375366..e1aab2e4f 100644
--- a/plinth/modules/deluge/__init__.py
+++ b/plinth/modules/deluge/__init__.py
@@ -30,7 +30,7 @@ from plinth.modules.users import register_group
 
 from .manifest import backup, clients  # noqa, pylint: disable=unused-import
 
-version = 3
+version = 4
 
 managed_services = ['deluge-web']