From 2cf8af1cfabb00195049e01b6edb33c57993c0c5 Mon Sep 17 00:00:00 2001
From: Johannes Segitz <jsegitz@suse.de>
Date: Thu, 5 Mar 2026 09:58:40 +0100
Subject: [PATCH] Harden the systemd service

---
 proxy/opi-proxy.service | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/proxy/opi-proxy.service b/proxy/opi-proxy.service
index b4c24b1..757dbbb 100644
--- a/proxy/opi-proxy.service
+++ b/proxy/opi-proxy.service
@@ -7,6 +7,27 @@ ExecStart=/usr/bin/gunicorn -b [::]:80 opi_proxy:app -k gevent -u nobody -g nogr
 Environment=CONFIG=/etc/opi-proxy.json
 Restart=always
 Type=simple
+# Filesystem isolation
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+# Device access
+PrivateDevices=yes
+DevicePolicy=closed
+# Syscall filtering
+SystemCallFilter=@system-service
+# Kernel/system protection
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+ProtectHostname=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 
 [Install]
 WantedBy=multi-user.target