From 46e83bcb68f1feb56204e9668f856f8a9aa1a022 Mon Sep 17 00:00:00 2001
From: Simon Marsh <simon@sesa.me.uk>
Date: Wed, 6 Mar 2019 19:22:10 +0000
Subject: [PATCH] Harden systemd unit file

---
 contrib/lgregmapper.service | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/contrib/lgregmapper.service b/contrib/lgregmapper.service
index 1cb05fd..cc9019e 100644
--- a/contrib/lgregmapper.service
+++ b/contrib/lgregmapper.service
@@ -14,6 +14,16 @@ User=lglass
 Group=lglass
 Type=simple
 Restart=on-failure
+# service hardening
+ProtectSystem=strict
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+ProtectHome=true
+#
 ExecStart=/opt/lgregmapper/lgregmapper -b ":11211"
      
 #########################################################################