bundles/left4me: spread HARDENING_WEB into left4me-web.service

Adds the sudo-compatible hardening subset to the web unit. Tightens ProtectSystem=full → strict. NoNewPrivileges, PrivateUsers, RestrictSUIDSGID, empty CapabilityBoundingSet, and ~@privileged in the syscall filter intentionally absent (sudo-incompatible until a future refactor replaces the helper sudo with systemctl-managed transient units). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 14:49:10 +02:00 · 2026-05-15 14:49:10 +02:00 · c6721e7545
commit c6721e7545
parent 640461c87a
1 changed files with 11 additions and 3 deletions
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@ -300,10 +300,18 @@ def systemd_units(metadata):
                        ),
                        'Restart': 'on-failure',
                        'RestartSec': '3',
-                        # NoNewPrivileges intentionally NOT set: workers sudo to the helpers.
-                        'ProtectSystem': 'full',
+
+                        # Web app writes broadly under /var/lib/left4me. Kept inline
+                        # because it's web-specific (server@ uses BindPaths to bind
+                        # only its instance dir).
                        'ReadWritePaths': '/var/lib/left4me',
-                        'PrivateTmp': 'true',
+
+                        # Hardening profile — see HARDENING_WEB constant near top of
+                        # this file. NoNewPrivileges intentionally NOT set: workers
+                        # sudo to the helpers. PrivateUsers and RestrictSUIDSGID also
+                        # absent for the same reason. ProtectSystem tightens from
+                        # 'full' to 'strict' via HARDENING_COMMON.
+                        **HARDENING_WEB,
                    },
                    'Install': {
                        'WantedBy': {'multi-user.target'},