From 9af3e2ca90f3b6b32a6705fce5a2975fefa0e838 Mon Sep 17 00:00:00 2001
From: Orazio <22700499+orazioedoardo@users.noreply.github.com>
Date: Sun, 2 Jan 2022 20:37:41 +0100
Subject: [PATCH] Set security options for the example signal-cli-socket
 systemd unit (#852)

* Restrict socket access to root and users in the signal-cli group

* Sandbox signal-cli-socket service using systemd features

* Add RemoveIPC too.

* Restore original placeholder for ExecStart path.
---
 data/signal-cli-socket.service | 32 ++++++++++++++++++++++++++++++--
 data/signal-cli-socket.socket  |  5 +++++
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/data/signal-cli-socket.service b/data/signal-cli-socket.service
index a6a2cfbcbe..670f9c9991 100644
--- a/data/signal-cli-socket.service
+++ b/data/signal-cli-socket.service
@@ -5,15 +5,43 @@ After=network-online.target
 Requires=signal-cli-socket.socket
 
 [Service]
-Type=simple
+CapabilityBoundingSet=
 Environment="SIGNAL_CLI_OPTS=-Xms2m"
+# Update 'ReadWritePaths' if you change the config path here
 ExecStart=%dir%/bin/signal-cli --config /var/lib/signal-cli daemon
-User=signal-cli
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+# Profile pictures and attachments to upload must be located here for the service to access them
+ReadWritePaths=/var/lib/signal-cli
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
 # JVM always exits with 143 in reaction to SIGTERM signal
 SuccessExitStatus=143
 StandardInput=socket
 StandardOutput=journal
 StandardError=journal
+SystemCallArchitectures=native
+SystemCallFilter=~@debug @mount @obsolete @privileged @resources
+UMask=0077
+# Create the user and home directory with 'useradd -r -U -s /usr/sbin/nologin -m -b /var/lib signal-cli'
+User=signal-cli
 
 [Install]
 Also=signal-cli-socket.socket
diff --git a/data/signal-cli-socket.socket b/data/signal-cli-socket.socket
index e8583562cc..0207b059df 100644
--- a/data/signal-cli-socket.socket
+++ b/data/signal-cli-socket.socket
@@ -3,6 +3,11 @@ Description=Send secure messages to Signal clients
 
 [Socket]
 ListenStream=%t/signal-cli/socket
+SocketUser=root
+# Add yourself to the signal-cli group to talk with the service
+# Run 'usermod -aG signal-cli yourusername'
+SocketGroup=signal-cli
+SocketMode=0660
 
 [Install]
 WantedBy=sockets.target