From b232b93ea052fd40420423b2150865f7cfa82e72 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 6 Oct 2020 09:20:22 -0400
Subject: [PATCH] Use a lot more systemd hardening features

Just on general principle.  In particular the combination
of a readonly `/usr` and `WorkingDirectory=/usr`
will give us a consistent clean error if we somehow accidentally
write to the current working directory.
---
 systemd/bootupd.service | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/systemd/bootupd.service b/systemd/bootupd.service
index 7a7bcdc9..5a4d08ae 100644
--- a/systemd/bootupd.service
+++ b/systemd/bootupd.service
@@ -11,7 +11,17 @@ StartLimitBurst=10
 Type=notify
 Environment=BOOTUPD_VERBOSITY="-v"
 ExecStart=/usr/libexec/bootupd daemon $BOOTUPD_VERBOSITY
-# On general principle
+# This way our working directory isn't writable by default.
+WorkingDirectory=/usr
+# Various hardening flags just on general principle.  We need
+# to run as root, but let's avoid accidental damage.
 ProtectHome=yes
+ReadOnlyPaths=/usr
+PrivateTmp=yes
+PrivateNetwork=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
 # So we can remount /boot writable
 MountFlags=slave