From ff0dc01023166b3c755b4051e6b458da9dbace26 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Thu, 4 Nov 2021 15:48:05 -0400
Subject: [PATCH] samba: Use systemd sandboxing for smbd/nmbd

Test: Samba functional tests passed.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../system/nmbd.service.d/freedombox.conf        | 16 ++++++++++++++++
 .../system/smbd.service.d/freedombox.conf        | 15 +++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 plinth/modules/samba/data/usr/lib/systemd/system/nmbd.service.d/freedombox.conf
 create mode 100644 plinth/modules/samba/data/usr/lib/systemd/system/smbd.service.d/freedombox.conf

diff --git a/plinth/modules/samba/data/usr/lib/systemd/system/nmbd.service.d/freedombox.conf b/plinth/modules/samba/data/usr/lib/systemd/system/nmbd.service.d/freedombox.conf
new file mode 100644
index 000000000..c178ad6a1
--- /dev/null
+++ b/plinth/modules/samba/data/usr/lib/systemd/system/nmbd.service.d/freedombox.conf
@@ -0,0 +1,16 @@
+[Service]
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictRealtime=yes
+SystemCallArchitectures=native
diff --git a/plinth/modules/samba/data/usr/lib/systemd/system/smbd.service.d/freedombox.conf b/plinth/modules/samba/data/usr/lib/systemd/system/smbd.service.d/freedombox.conf
new file mode 100644
index 000000000..6fc272456
--- /dev/null
+++ b/plinth/modules/samba/data/usr/lib/systemd/system/smbd.service.d/freedombox.conf
@@ -0,0 +1,15 @@
+[Service]
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictRealtime=yes
+SystemCallArchitectures=native