From a31d93aa7034b388507547795504178fda35c4ee Mon Sep 17 00:00:00 2001
From: "Alexander \"Arav\" Andreev" <me@arav.su>
Date: Sat, 19 Aug 2023 19:40:24 +0400
Subject: [PATCH] Further hardening in a radio's systemd unit.

---
 init/radio.service | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/init/radio.service b/init/radio.service
index 3ef528f..58fd1c4 100755
--- a/init/radio.service
+++ b/init/radio.service
@@ -26,18 +26,34 @@ LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
+PrivateTmp=true
 ProtectClock=true
+ProtectProc=noaccess
+ProcSubset=pid
+PrivateUsers=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=true
 ProtectSystem=strict
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
 
 [Install]
 WantedBy=multi-user.target