From c6721e75453bb2e46e63c9a050db4970100c447a Mon Sep 17 00:00:00 2001 From: CroneKorkN Date: Fri, 15 May 2026 14:49:10 +0200 Subject: [PATCH] bundles/left4me: spread HARDENING_WEB into left4me-web.service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the sudo-compatible hardening subset to the web unit. Tightens ProtectSystem=full → strict. NoNewPrivileges, PrivateUsers, RestrictSUIDSGID, empty CapabilityBoundingSet, and ~@privileged in the syscall filter intentionally absent (sudo-incompatible until a future refactor replaces the helper sudo with systemctl-managed transient units). Co-Authored-By: Claude Opus 4.7 (1M context) --- bundles/left4me/metadata.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py index 57d555e..1f96d50 100644 --- a/bundles/left4me/metadata.py +++ b/bundles/left4me/metadata.py @@ -300,10 +300,18 @@ def systemd_units(metadata): ), 'Restart': 'on-failure', 'RestartSec': '3', - # NoNewPrivileges intentionally NOT set: workers sudo to the helpers. - 'ProtectSystem': 'full', + + # Web app writes broadly under /var/lib/left4me. Kept inline + # because it's web-specific (server@ uses BindPaths to bind + # only its instance dir). 'ReadWritePaths': '/var/lib/left4me', - 'PrivateTmp': 'true', + + # Hardening profile — see HARDENING_WEB constant near top of + # this file. NoNewPrivileges intentionally NOT set: workers + # sudo to the helpers. PrivateUsers and RestrictSUIDSGID also + # absent for the same reason. ProtectSystem tightens from + # 'full' to 'strict' via HARDENING_COMMON. + **HARDENING_WEB, }, 'Install': { 'WantedBy': {'multi-user.target'},