From cecb114810d176ecea276568f1d1ec612b23b683 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Thu, 4 Jan 2024 18:47:40 +0000
Subject: [PATCH] clightning: harden

---
 modules/services/clightning.nix | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/modules/services/clightning.nix b/modules/services/clightning.nix
index e838c6c7b..65b21f460 100644
--- a/modules/services/clightning.nix
+++ b/modules/services/clightning.nix
@@ -154,7 +154,33 @@ in
         User = cfg.user;
         Restart = "on-failure";
         RestartSec = "30s";
+
         ReadWritePaths = [ cfg.dataDir ];
+
+        # hardening
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+        RestrictNamespaces = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
       };
 
       preStart = ''