From ec9ab1d2bc5c6be973186a2d44e776e9d7f70d31 Mon Sep 17 00:00:00 2001
From: Jacob Kiers <code@kiers.eu>
Date: Thu, 22 Feb 2024 21:43:06 +0100
Subject: [PATCH] Add example systemd unit with security protections

This is just about as secure as this process can get

Signed-off-by: Jacob Kiers <code@kiers.eu>
---
 fourth.service | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 fourth.service

diff --git a/fourth.service b/fourth.service
new file mode 100644
index 0000000..5e33d9c
--- /dev/null
+++ b/fourth.service
@@ -0,0 +1,51 @@
+[Unit]
+Description=Fourth - Layer 4 proxy
+
+After=network-online.target
+Wants=network-online.target
+
+[Install]
+WantedBy=default.target
+
+[Service]
+Type=simple
+
+# Allow read-only access to the config directory
+ReadOnlyPaths=/etc/fourth
+# Path to the binary
+ExecStart=/usr/local/bin/fourth
+
+# Needs CAP_NET_BIND_SERVICE in order to bind to lower ports
+# When using ports above 1024, these should be made empty
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Run as a dynamic user
+DynamicUser=yes
+
+# Security
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+SystemCallFilter=@basic-io @file-system @network-io @system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources
+NoNewPrivileges=yes
+ProtectProc=invisible
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+ProcSubset=pid
+UMask=0077
+SystemCallArchitectures=native
+RestrictSUIDSGID=yes
+ProtectKernelTunables=yes
\ No newline at end of file