From dbf70b9fefbb2e5fd8ab0de98a893882991d5a45 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 16 May 2020 08:04:27 -0400
Subject: [PATCH] quassel: Use systemd sandboxing features

Tests:
- Installed Quassel and diagnostics are passed.
- Quassel client connection is successful.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Remove RemainAfterExit=no as it is default]
[sunil: Remove ReadWritePaths= as {Logs|State}Directory= take care of it]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../quasselcore.service.d/freedombox.conf       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 plinth/modules/quassel/data/lib/systemd/system/quasselcore.service.d/freedombox.conf

diff --git a/plinth/modules/quassel/data/lib/systemd/system/quasselcore.service.d/freedombox.conf b/plinth/modules/quassel/data/lib/systemd/system/quasselcore.service.d/freedombox.conf
new file mode 100644
index 000000000..2a8068bfc
--- /dev/null
+++ b/plinth/modules/quassel/data/lib/systemd/system/quasselcore.service.d/freedombox.conf
@@ -0,0 +1,17 @@
+[Service]
+LockPersonality=yes
+LogsDirectory=quassel
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictRealtime=yes
+StateDirectory=quassel
+SystemCallArchitectures=native