From 132789785d1bddf750b81a7ef86b9b54055bffc1 Mon Sep 17 00:00:00 2001
From: desbma <desbma@users.noreply.github.com>
Date: Fri, 7 Dec 2018 14:58:12 +0100
Subject: [PATCH] etc: Add hardening options to syncthing systemd services
 (fixes #5286) (#5351)

---
 etc/linux-systemd/system/syncthing@.service | 7 +++++++
 etc/linux-systemd/user/syncthing.service    | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/etc/linux-systemd/system/syncthing@.service b/etc/linux-systemd/system/syncthing@.service
index 1de4274ad..30846b1c2 100644
--- a/etc/linux-systemd/system/syncthing@.service
+++ b/etc/linux-systemd/system/syncthing@.service
@@ -10,5 +10,12 @@ Restart=on-failure
 SuccessExitStatus=3 4
 RestartForceExitStatus=3 4
 
+# Hardening
+ProtectSystem=full
+PrivateTmp=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target
diff --git a/etc/linux-systemd/user/syncthing.service b/etc/linux-systemd/user/syncthing.service
index 6a9f3b7af..1c0fe2296 100644
--- a/etc/linux-systemd/user/syncthing.service
+++ b/etc/linux-systemd/user/syncthing.service
@@ -8,5 +8,12 @@ Restart=on-failure
 SuccessExitStatus=3 4
 RestartForceExitStatus=3 4
 
+# Hardening
+ProtectSystem=full
+PrivateTmp=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
 [Install]
 WantedBy=default.target