From 25a2e31b63a77f66d7c0c37881fcb6aab02ac9fe Mon Sep 17 00:00:00 2001
From: "@RubenKelevra" <cyrond@gmail.com>
Date: Tue, 26 May 2020 10:25:32 +0200
Subject: [PATCH] systemd: add a service file with systemd hardening features

---
 misc/systemd/ipfs-hardened.service | 70 ++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 misc/systemd/ipfs-hardened.service

diff --git a/misc/systemd/ipfs-hardened.service b/misc/systemd/ipfs-hardened.service
new file mode 100644
index 000000000..dbb35c597
--- /dev/null
+++ b/misc/systemd/ipfs-hardened.service
@@ -0,0 +1,70 @@
+# This file will be overwritten on package upgrades, avoid customizations here.
+#
+# To make persistant changes, create file in 
+# "/etc/systemd/system/ipfs.service.d/overwrite.conf" with 
+# `systemctl edit ipfs.service`. This file will be parsed after this 
+# file has been parsed.
+#
+# To overwrite a variable, like ExecStart you have to specify it once
+# blank and a second time with a new value, like:
+# ExecStart=
+# ExecStart=/usr/bin/ipfs daemon --flag1 --flag2
+#
+# For more info about custom unit files see systemd.unit(5).
+
+# This service file enables systemd-hardening features compatible with IPFS,
+# while breaking compability with the fuse-mount function. Use this one only 
+# if you don't need the fuse-mount functionality.
+
+[Unit]
+Description=InterPlanetary File System (IPFS) daemon
+Documentation=https://docs.ipfs.io/
+After=network.target
+
+[Service]
+# hardening
+ReadWritePaths="/var/lib/ipfs/"
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+PrivateDevices=true
+DevicePolicy=closed
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+ProtectHostname=true
+PrivateTmp=true
+ProtectClock=true
+LockPersonality=true
+RestrictNamespaces=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+ProtectHome=true
+RemoveIPC=true
+RestrictSUIDSGID=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# enable for 1-1024 port listening
+#AmbientCapabilities=CAP_NET_BIND_SERVICE 
+# enable to specify a custom path see docs/environment-variables.md for further documentations
+#Environment=IPFS_PATH=/custom/ipfs/path
+# enable to specify a higher limit for open files/connections
+#LimitNOFILE=1000000
+
+#don't use swap
+MemorySwapMax=0
+
+Type=notify
+User=ipfs
+Group=ipfs
+StateDirectory=ipfs
+ExecStart=/usr/bin/ipfs daemon --init --migrate
+Restart=on-failure
+KillSignal=SIGINT
+
+[Install]
+WantedBy=default.target