left4me/docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md

left4me application hardening — defenses survey

Status: living spec. Companion to 2026-05-15-hardening-threat-model.md and 2026-05-15-hardening-test-plan.md.

This document catalogs the Linux + systemd defense primitives applicable to left4me, evaluates each against this codebase's needs, and proposes a candidate composition. Each candidate is testable — the test plan exercises it before commit.

Reference: the threat model defines defenses D1-D7. This document maps primitives to those defenses.

Section 1 — Linux kernel primitives

Namespaces (man 7 namespaces)

NS	Isolates	Relevance
mount	filesystem hierarchy view	Core. Gives TemporaryFileSystem= + bind primitives.
user	uid/gid mapping	Big for D2/D4 (cross-uid ptrace block).
pid	PID 1, /proc visibility	Pairs with ProcSubset=pid for D2.
net	netifs, ports, routes	Breaks gameservers; do not apply to server@.
ipc	SysV IPC + POSIX MQ + abstract sockets	Hygienic; PrivateIPC=true.
uts	hostname	Cosmetic; doesn't matter for us.
time	CLOCK_MONOTONIC offset	Irrelevant for us.
cgroup	cgroup view	Defense-in-depth against cgroup escape.

For left4me: mount + user + pid + ipc on left4me-server@.service. The web unit can use the same minus user-ns (incompatible with sudo).

Capabilities (man 7 capabilities)

Per-process, granted at exec via file caps or by systemd at unit start. Bounding set = upper bound; ambient = inherited across non-setuid exec.

• CapabilityBoundingSet= empty drops everything. Neither srcds nor gunicorn needs any capability after they start (no raw sockets, no mount, no module load, no setuid).
• AmbientCapabilities= empty (default).

Sharp edge: with +-prefixed ExecStartPre, the helper runs as PID 1 (root, all caps), unaffected by these. That's how we get the privileged overlay mount without breaking the unit's caps.

Seccomp-bpf (man 2 seccomp)

Filter syscall set. Per-process. Composes with the AND of all filters loaded. The systemd SystemCallFilter= wraps it.

For us, two filter strategies:

• Allow-list base (@system-service): permissive enough for srcds
  • gunicorn; subtract dangerous groups.
• Deny-list: simpler but easier to leave holes.

Strategy: allow-list with subtractions.

Critical subtractions for D2:

• ~@debug — drops ptrace(2), process_vm_readv/writev(2), process_madvise(2). Single most important syscall block for our threat model.
• ~@mount — mount, umount2, pivot_root (gameserver doesn't need; helper does, and helper runs as root via + prefix).
• ~@privileged — anything requiring CAP_*; redundant with empty bounding set but defense-in-depth.
• ~@reboot, ~@swap, ~@cpu-emulation, ~@obsolete — cheap removal.

Sharp edges:

• SystemCallFilter= lines compose left-to-right by union (first line sets allow-list; subsequent ~ lines subtract).
• A ~ subtract on a group not in the allow-list is a no-op.
• SystemCallArchitectures=native blocks 32-bit syscall entries that bypass the filter. Always set this.
• SystemCallErrorNumber=EPERM vs. default KILL — EPERM is gentler for non-essential paths; KILL is loud and obvious. Start with default (KILL) for clear signal, switch to EPERM if a benign caller trips it (e.g., a library probing for capabilities).

Yama LSM — kernel.yama.ptrace_scope

System-wide sysctl. Values:

• 0: any same-user can ptrace
• 1: same-uid or direct ancestor (Debian default)
• 2: requires CAP_SYS_PTRACE (admin only)
• 3: ptrace disabled entirely

For left4me: setting to 2 system-wide is cheap and removes the same-uid ptrace path entirely. Set via /etc/sysctl.d/99-left4me.conf (or extend an existing file). Doesn't affect debuggability — if you ever need to ptrace, do it as root.

Caveat: Yama is enforced AT THE TIME of ptrace call. With seccomp blocking the syscall entirely (~@debug), Yama becomes belt-and-braces; keep both for defense-in-depth.

LSMs other than Yama

LSM	Status on Debian Trixie	Fit for us
AppArmor	Available; not enabled by default	Could write profiles for srcds + gunicorn. Per-unit profile via AppArmorProfile= on systemd. Moderate effort.
SELinux	Available; not enabled by default	Heavy. Not worth the operational cost on a single-host VPS.
landlock	Kernel ≥5.13; available	Process-local sandboxing. Apps must opt in via landlock(2). Python doesn't have a stdlib binding; need to call via ctypes or a wrapper. For us: would need to retrofit gunicorn or write a wrapper. Defer.
BPF LSM	Kernel ≥5.7; available	Programmable LSM hooks. Bleeding edge for personal infra. Defer.
Tomoyo	Available; not Debian-enabled	Path-based MAC. Niche. Skip.

For left4me: Yama yes. AppArmor maybe, as a follow-up — a profile limited to "deny path X" patterns for srcds would be small but adds an audit/rollback surface. Skip in the first pass; revisit if test results show systemd directives alone leave gaps.

Filesystem ACLs and modes

POSIX permissions, supplementary groups, ACLs (setfacl), extended attrs (xattr).

For us:

• DB and web.env already use root:left4me 0640. If we go uid-split, ownership changes; if we go hardening-only, mode is fine — what matters is whether the unit's FS view contains them at all.
• setfacl for fine-grained sharing (e.g., one supplementary group used by both web and game). Doable but adds complexity; consider only if uid split goes ahead.

File attributes (chattr)

chattr +i (immutable) and chattr +a (append-only).

For us:

• chattr +i /opt/left4me/src/** — prevents post-deploy tampering by anything short of root removing the attr. But: pip install -e creates *.egg-info files in the tree; deploy of new code would need to chattr -R -i ... first. Too much friction. Skip.
• chattr +i /etc/left4me/web.env — keeps the env file from being rewritten by a malicious uid. Works because the env file is rewritten rarely (rotate SECRET_KEY explicitly via ckn-bw apply, which is root and can chattr -i first). Worth considering as a small extra.

cgroups v2

Not a security primitive (not confidentiality/integrity), but a resource ceiling. Already in use:

• Slice=l4d2-game.slice, MemoryMax, TasksMax — keep.

MemoryDenyWriteExecute=true is a kernel-level prctl + seccomp, not a cgroup, but listed here because it's resource-adjacent. See systemd section.

Sudo / setuid

Sudoers grants narrow what a unit's uid can do as root. For us, the helpers (deploy/scripts/libexec/left4me-*) already validate inputs tightly (verified in audit). Two design options for the future:

• Keep sudo path, narrow the grants (per-uid via 3-user split, or per-action via tighter sudoers).
• Replace sudo with systemctl-managed transient units triggered via dbus / systemctl start — the build-overlay-unit spec already proposes this for the script-sandbox.

The web app needs to invoke the helpers somehow. NoNewPrivileges=true on the web unit would break sudo's setuid. If we move to systemctl-triggered units (no setuid involved), we can also tighten the web unit. Sequenced in the implementation plan, not this survey.

Section 2 — systemd unit-config primitives

Identity

• User= / Group= — drop privileges. Already set.
• DynamicUser=true — transient uid per run, persisted across runs via StateDirectory=. Strong default. Bad fit for us because multiple units share /var/lib/left4me/ cross-unit; DynamicUser's per-unit StateDirectory= model fights that.
• SupplementaryGroups= — extra groups. Used if we add a shared read-only group (e.g., l4d2-overlay-readers).

Filesystem virtualization

The lever the operator asked about ("can systemd have a fully virtual filesystem"). Yes — composition:

• RootDirectory=path — chroot. Full FS substitution. Heavy; requires populating libs/binaries. Skip for the first pass.
• RootImage=path — same but from a disk image. Way too heavy.
• TemporaryFileSystem=path[:opts] — empty tmpfs at path. Cheap. Composes with bind paths.
• BindReadOnlyPaths=src[:dst] — RO bind. Composes over TemporaryFileSystem.
• BindPaths=src[:dst] — RW bind. Composes over TemporaryFileSystem.
• InaccessiblePaths=path — masks a path with an empty file/dir. Legacy; Bind* is cleaner.
• NoExecPaths=path / ExecPaths=path — restrict executable paths. Strong but easy to misconfigure.

Composition pattern (the one we want for srcds):

TemporaryFileSystem=/var/lib /etc /opt /home /root /srv
BindReadOnlyPaths=/var/lib/left4me/installation
BindReadOnlyPaths=/var/lib/left4me/overlays
BindReadOnlyPaths=/etc/left4me/host.env
BindReadOnlyPaths=/etc/ssl /etc/ca-certificates /etc/resolv.conf
BindReadOnlyPaths=/etc/nsswitch.conf /etc/alternatives
BindPaths=/var/lib/left4me/runtime/%i

Result: srcds has no DB, no web.env, no /opt/left4me/src/ in its FS view. Files outside the bound list are simply not there from srcds's perspective — open() returns ENOENT, not EACCES.

Sharp edges:

• TemporaryFileSystem= size defaults to half RAM; clamp via :size=NNM,nr_inodes=NN.
• Bind paths must exist on disk; ENOENT prevents unit start.
• BindReadOnlyPaths= and BindPaths= reorder semantics: bind-mounts applied in order; later wins.
• RuntimeDirectory= integrates with TemporaryFileSystem= cleanly: RuntimeDirectory=left4me/foo creates /run/left4me/foo and binds it in, auto-cleaning on stop.

Namespaces (systemd wrappers)

• PrivateTmp=true — already set.
• PrivateDevices=true — already set. Drops most of /dev.
• PrivateNetwork=true — don't for gameservers (breaks UDP).
• PrivateIPC=true — private SysV/POSIX IPC namespace; cheap win.
• PrivateUsers=true — own userns. The configured User=left4me is identity-mapped inside; outside, the unit's processes appear as a mapped high uid (defense for D2/D4 against cross-namespace ptrace). Sharp edge: incompatible with sudo from inside the unit (setuid + userns mapping = no host-root).
• PrivateMounts=true — own mount ns (default-implicit with most Protect* / Private* directives).

/proc and /sys protection

• ProtectProc=invisible|noaccess|ptraceable|default — invisible makes other procs' /proc/<pid>/* not exist. D2.
• ProcSubset=pid|all — pid restricts /proc/ to PID entries; hides /proc/kallsyms, /proc/cpuinfo, etc. Cheap.
• ProtectKernelTunables=true — /proc/sys, /sys read-only.
• ProtectKernelModules=true — block init_module, delete_module.
• ProtectKernelLogs=true — block /dev/kmsg, syslog().
• ProtectClock=true — block clock_settime, settimeofday.
• ProtectControlGroups=true — /sys/fs/cgroup read-only.
• ProtectHostname=true — block sethostname/setdomainname.

All of ProtectKernel*, ProtectClock, ProtectControlGroups, ProtectHostname are cheap and have no downside for srcds or gunicorn. Add all of them.

Filesystem protection (legacy / not Bind*)

• ProtectSystem=false|true|full|strict — increasingly stringent RO of system paths. strict makes /, /usr, /boot, /etc, /opt RO except for explicit writable paths.
• ProtectHome=false|true|read-only|tmpfs — tmpfs masks /home, /root, /run/user with empty tmpfs.

For us: ProtectSystem=strict + ProtectHome=tmpfs is the baseline. But once we adopt TemporaryFileSystem= for the relevant trees, these become secondary — TemporaryFileSystem fully supersedes them in the covered subtrees. Keep both as defense-in-depth (cheap).

Syscall filtering

• SystemCallFilter=expr — discussed in Linux section.
• SystemCallArchitectures=native — always set.
• SystemCallLog=expr — opt-in logging without enforcement; useful for diagnosing what gets called before tightening.
• SystemCallErrorNumber=EPERM — soft denial vs. SIGKILL. Default is SIGKILL; switch later if a benign caller trips.

Capabilities

• CapabilityBoundingSet= — empty drops all. Use it.
• AmbientCapabilities= — empty (default).
• NoNewPrivileges=true — prevents setuid escalation. Required on srcds, incompatible with sudo on web until sudo is replaced.

Network restrictions

• RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX — for srcds. AF_UNIX needed for journald socket access.
• IPAddressAllow= / IPAddressDeny= — uses cgroup BPF; affects outbound traffic. For srcds: probably overcomplicates; the firewall already controls ingress. Skip for first pass.
• SocketBindAllow= / SocketBindDeny= — restricts which ports a unit can bind(). For srcds, allow only the configured game port range. Adds value but couples to config. Defer to a follow-up.

Resource restrictions

• MemoryMax, TasksMax, LimitNOFILE — already set.
• OOMScoreAdjust — already set (favor killing the gameserver before system processes if memory tight).
• MemoryDenyWriteExecute=true — blocks mprotect(PROT_WRITE|PROT_EXEC). Defends against shellcode in JIT memory. Source engine likely fine (no JIT in the binary; the Squirrel script engine is an interpreter, not JIT). Sourcemod plugins: most are compiled to bytecode + run on SourcePawn VM (interpreter); no JIT either. Verify in test.

IPC and process hygiene

• RemoveIPC=true — clean up SysV IPC on unit stop.
• KeyringMode=private — own kernel keyring; no host-key access.
• LockPersonality=true — block personality(2) calls (no x86 vs x86-64 mode toggle). Already set.
• RestrictRealtime=true — block real-time scheduling. srcds may use SCHED_OTHER + nice; no realtime needed.
• RestrictNamespaces=true — block unshare(2) / clone(CLONE_NEW*).
• RestrictSUIDSGID=true — already set.
• UMask=0027 — narrow default umask.

Capabilities of the + prefix

ExecStartPre=+cmd runs cmd as root in PID 1's namespaces, bypassing the unit's User= and almost all Protect*/Private*/Restrict* directives. This is how the existing overlay-mount helper runs. Critical to verify in test:

• Does + preserve the bypass when PrivateUsers=true is set? (Expected: yes — the userns is set up around the unit's processes; + puts the helper outside it.)

State management (per-unit)

• StateDirectory=path — creates /var/lib/<path> owned by User=.
• RuntimeDirectory=path — creates /run/<path>, auto-deleted on stop.
• LogsDirectory=path — /var/log/<path>.
• CacheDirectory=path — /var/cache/<path>.
• ConfigurationDirectory=path — /etc/<path>.

Useful for cleanup hygiene if we redesign storage layout. Not required for first pass.

systemd-analyze security

systemd-analyze security <unit> produces a security score per unit (lower = more secure). Output lists each directive with a ✓/✗. Useful as:

• Regression check (record baseline, ensure score drops after refactor).
• Discovery tool ("which directives haven't I set?").

Baseline scores (to capture during test plan):

• left4me-server@1.service before refactor
• left4me-web.service before refactor

Composability lookups

The systemd docs use a "predefined preset" concept that's worth knowing:

• @privileged (syscall group) ⊃ @process, @module, @ptrace, etc.
• @system-service is the recommended base for "I want a normal service to work."
• Subtracting ~@privileged is broad; ~@debug @mount @raw-io is surgical.

Section 3 — Application-level options

Apparmor profile for srcds

If systemd directives leave gaps, an AppArmor profile would let us deny specific paths or operations beyond what systemd's directives cover. E.g., "deny network for srcds to a specific IP range" via network inet stream... deny rules; or "deny mounting" beyond SystemCallFilter.

Effort:

• Enable AppArmor in the kernel cmdline + boot config.
• Write a profile (e.g., /etc/apparmor.d/usr.bin.srcds_linux).
• Reference via systemd AppArmorProfile= per unit.

Skip for the first pass; revisit if test results show the systemd directives alone leave a gap.

landlock for the web app

Python web app could call landlock_create_ruleset / landlock_add_rule / landlock_restrict_self via ctypes. Restricts FS access at runtime.

For us:

• Could restrict gunicorn to /var/lib/left4me/ + /etc/left4me/web.env
  • /opt/left4me/.venv + /tmp.
• Symmetric to TemporaryFileSystem= + Bind* but at the application layer (no systemd reach).

Skip; systemd directives are simpler. Reconsider if we move to a DynamicUser-style world later.

File-integrity tooling (Aide, Tripwire)

Out of scope for prevention; useful for detection. Not in this design.

Custom seccomp profile (bypassing systemd)

The web app could call seccomp(2) from inside Python via libseccomp

• ctypes to tighten its own filter beyond what systemd applies. Symmetric to landlock; skip for the same reason.

Section 4 — Per-defense mapping

For each defense from the threat model, the primitives that implement it, in priority order:

D1 — Gameserver RCE cannot exfiltrate DB or web.env

Primitive	Strength	Notes
TemporaryFileSystem=/var/lib /etc + minimal bind set	Strong	The files simply aren't in the unit's FS view. ENOENT, not EACCES.
3-user split (DB owned by l4d2-web)	Strong	Kernel-enforced; survives unit-config errors.
BindReadOnlyPaths=/dev/null:/var/lib/left4me/left4me.db	Medium	Masks the path; brittle (paths can move).
Filesystem ACLs (DB mode 0600)	Weak	Kernel still allows left4me group; only fixed by uid split.

Composition chosen: TemporaryFileSystem= + Bind* (primary). 3-user split as defense-in-depth or deferred.

D2 — Gameserver RCE cannot ptrace web app or peers

Primitive	Strength	Notes
SystemCallFilter=~@debug	Strong	Blocks ptrace, process_vm_readv/writev.
kernel.yama.ptrace_scope=2	Strong	Belt-and-braces at the kernel level.
CapabilityBoundingSet= empty	Strong	No CAP_SYS_PTRACE.
PrivateUsers=true	Strong	Cross-userns ptrace requires CAP_SYS_PTRACE.
3-user split	Strong	Different uids; same-uid path doesn't exist.

Composition chosen: All four (syscall + yama + caps + userns) together; they compose redundantly.

D3 — Gameserver RCE cannot use sudo helpers

Primitive	Strength	Notes
NoNewPrivileges=true	Strong	Blocks sudo's setuid. Already set on server@.
PrivateUsers=true	Strong	sudo across userns boundary impossible.
Sudoers grants scoped to l4d2-web (uid split)	Strong	Different uid means sudo grant doesn't apply.
RestrictSUIDSGID=true	Strong	Already set.

Composition chosen: NoNewPrivileges (already) + PrivateUsers (new)

• RestrictSUIDSGID (already). 3-user split is also covered by NNP
• PrivateUsers; uid split would be defense-in-depth.

D4 — Web app RCE cannot ptrace gameservers

Primitive	Strength	Notes
SystemCallFilter=~@debug on web	Strong	Symmetric to D2 but applied to web.
kernel.yama.ptrace_scope=2	Strong	System-wide, helps both directions.
3-user split	Strong	Different uids.

Composition chosen: SystemCallFilter on web + yama=2 system-wide. PrivateUsers cannot be applied to web (sudo incompatibility). 3-user split as defense-in-depth or deferred.

D5 — Cross-server contamination

Each left4me-server@<n>.service is a separate unit instance. With PrivateUsers=true, each gets its own user namespace. Cross-namespace ptrace fails. With TemporaryFileSystem= and per-instance BindPaths=/var/lib/left4me/runtime/%i, neither instance can read the other's runtime/<n>/ or attach to its process.

Composition chosen: PrivateUsers + per-instance Bind* (above). Per-instance uids out of scope.

D6 — Persistent compromise of /opt/left4me/src/ blocked from gameserver

Already covered by ProtectSystem=strict on server@.service. With TemporaryFileSystem=/opt, the path simply isn't visible to srcds. Stronger and redundant — both can stay.

D7 — Defenses survive a unit-config refactor in the wrong direction

deploy/tests/test_deploy_artifacts.py asserts the directives' presence in the deployed unit. Add hardening invariants as test cases. Survives because the test fails CI before deploy.

Section 5 — Candidate composition

For testing, not commitment. Test plan validates each piece.

left4me-server@.service

[Service]
User=left4me
Group=left4me

# (existing)
Type=simple
WorkingDirectory=-/var/lib/left4me/runtime/%i/merged/left4dead2
EnvironmentFile=/etc/left4me/host.env
EnvironmentFile=/var/lib/left4me/instances/%i/instance.env
ExecStartPre=+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay mount %i
ExecStart=/var/lib/left4me/runtime/%i/merged/srcds_run -game left4dead2 +hostport ${L4D2_PORT} $L4D2_ARGS
ExecStopPost=+/usr/bin/nsenter --mount=/proc/1/ns/mnt -- /usr/local/libexec/left4me/left4me-overlay umount %i
Restart=on-failure
RestartSec=5

# Resource control (existing)
Slice=l4d2-game.slice
Nice=-5
IOSchedulingClass=best-effort
IOSchedulingPriority=4
OOMScoreAdjust=-200
MemoryHigh=1.5G
MemoryMax=2G
TasksMax=256
LimitNOFILE=65536
KillSignal=SIGINT
TimeoutStopSec=15s
LogRateLimitIntervalSec=0

# Hardening — identity
NoNewPrivileges=true
RestrictSUIDSGID=true

# Hardening — namespaces
PrivateTmp=true
PrivateDevices=true
PrivateIPC=true
PrivateUsers=true               # NEW
ProtectHome=true

# Hardening — filesystem view
TemporaryFileSystem=/var/lib /etc /opt /home /root /srv /mnt /media     # NEW
BindReadOnlyPaths=/var/lib/left4me/installation                          # was ReadOnlyPaths
BindReadOnlyPaths=/var/lib/left4me/overlays                              # was ReadOnlyPaths
BindReadOnlyPaths=/etc/left4me/host.env                                  # NEW
BindReadOnlyPaths=/etc/ssl /etc/ca-certificates                          # NEW
BindReadOnlyPaths=/etc/resolv.conf /etc/nsswitch.conf /etc/alternatives  # NEW
BindPaths=/var/lib/left4me/runtime/%i                                    # was ReadWritePaths
ProtectSystem=strict
# (remove old ReadOnlyPaths= and ReadWritePaths= lines — superseded)

# Hardening — /proc, /sys, kernel
ProtectProc=invisible           # NEW
ProcSubset=pid                  # NEW
ProtectKernelTunables=true      # NEW
ProtectKernelModules=true       # NEW
ProtectKernelLogs=true          # NEW
ProtectClock=true               # NEW
ProtectControlGroups=true       # NEW
ProtectHostname=true            # NEW
LockPersonality=true

# Hardening — caps + syscall
CapabilityBoundingSet=          # NEW
AmbientCapabilities=            # NEW
SystemCallArchitectures=native  # NEW
SystemCallFilter=@system-service                                      # NEW
SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete @privileged  # NEW

# Hardening — network
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX                       # NEW (AF_UNIX for journald)

# Hardening — namespaces, realtime, IPC
RestrictNamespaces=true          # NEW
RestrictRealtime=true            # NEW
RemoveIPC=true                   # NEW
KeyringMode=private              # NEW
UMask=0027                       # NEW

# Deferred until test:
# MemoryDenyWriteExecute=true    # MAY break sourcemod / Source engine; test first.

left4me-web.service

[Service]
User=left4me
Group=left4me

# (existing)
Type=simple
WorkingDirectory=/opt/left4me/src
Environment=HOME=/var/lib/left4me PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
EnvironmentFile=/etc/left4me/host.env
EnvironmentFile=/etc/left4me/web.env
ExecStart=/opt/left4me/.venv/bin/gunicorn --workers ... --threads ... --bind 127.0.0.1:8000 'l4d2web.app:create_app()'
Restart=on-failure
RestartSec=3

# Hardening
PrivateTmp=true
ProtectSystem=strict                      # tightened from =full
ProtectHome=true
ReadWritePaths=/var/lib/left4me           # web needs broad write access there
# NoNewPrivileges intentionally NOT set — sudo
# PrivateUsers intentionally NOT set — sudo

# /proc + kernel hardening (sudo-compatible)
ProtectProc=invisible                     # NEW
ProcSubset=pid                            # NEW
ProtectKernelTunables=true                # NEW
ProtectKernelModules=true                 # NEW
ProtectKernelLogs=true                    # NEW
ProtectClock=true                         # NEW
ProtectControlGroups=true                 # NEW
ProtectHostname=true                      # NEW
LockPersonality=true                      # NEW

# Syscall filter — allow @system-service minus debug-class; keep @privileged
# because sudo needs setuid, chown, etc.
SystemCallArchitectures=native            # NEW
SystemCallFilter=@system-service          # NEW
SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete  # NEW

# Network
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX  # NEW

# Misc hygiene
RestrictRealtime=true                     # NEW
RestrictNamespaces=true                   # NEW
RemoveIPC=true                            # NEW
UMask=0027                                # NEW

# Deferred for sudo-removal future work:
# NoNewPrivileges=true
# CapabilityBoundingSet=
# PrivateUsers=true

Host sysctl

/etc/sysctl.d/99-left4me.conf (or merge into existing):

kernel.yama.ptrace_scope=2

System-wide. Means: even if a unit-level config slips, host-level ptrace is admin-only. Cost: zero for our use case (no debugging in prod).

Section 6 — Trade-offs and known sharp edges

To verify in the test plan:

1. PrivateUsers=true + +-prefixed ExecStartPre: expected to work (the + runs outside the unit's namespaces). Sharp if it doesn't — the overlay mount would fail and srcds wouldn't start.
2. TemporaryFileSystem=/etc and missing files: srcds and its dependencies (libstdc++ runtime, libssl, libcurl) may read files from /etc we haven't bound. Watch journalctl for ENOENT during first start.
3. SystemCallFilter=~@privileged and Source engine: srcds is C++ and uses syscalls beyond the obvious. A ~@privileged may trip something. Mitigation: test with SystemCallLog= instead of SystemCallFilter= first; observe what would have been blocked; then narrow.
4. MemoryDenyWriteExecute=true and sourcemod: SourcePawn is bytecode-interpreted (no JIT) per public docs, but plugin compilation could in theory use a JIT. Test before enabling.
5. RestrictAddressFamilies= without AF_UNIX: journald socket needs it. Always include AF_UNIX.
6. ProcSubset=pid and Python: gunicorn shouldn't break (uses /proc/self/* + signal-based ipc). Verify.
7. sysctl kernel.yama.ptrace_scope=2: blocks operator's own gdb / strace -p against any running service. If you need to debug, temporarily set back to 1 via sysctl, then revert.
8. ProtectSystem=strict on web: was =full. Tighter; might break a write the web app does to a path outside /var/lib/left4me. Audit l4d2web/* for os.makedirs or open(...'w') outside that root.

Open questions for the implementer

(After test plan results come back, finalize these.)

1. Do we adopt MemoryDenyWriteExecute=true if it works for srcds? (Probably yes, defense-in-depth at low cost.)
2. Do we set SocketBindAllow= on srcds to lock the port range? (Depends on whether instance.env exposes the range cleanly to a unit directive.)
3. Do we deploy AppArmor profiles as a follow-up? (Probably no — operational complexity exceeds the marginal gain on single-host infra.)
4. Do we keep both BindReadOnlyPaths= and the legacy ReadOnlyPaths= declarations, or simplify? (Simplify — use Bind* exclusively once TemporaryFileSystem= is in place.)
5. Do we proceed with 3-user split as a follow-up, or close the spec as "addressed by hardening"? Depends on operator's residual-risk tolerance after Phase A lands and we observe.

Pointers

• Threat model: docs/superpowers/specs/2026-05-15-hardening-threat-model.md
• Test plan: docs/superpowers/specs/2026-05-15-hardening-test-plan.md
• Original uid-split spec (still open): docs/superpowers/specs/2026-05-15-user-uid-split-design.md
• Live unit source (ckn-bw reactor): ~/Projekte/ckn-bw/bundles/left4me/metadata.py:150+
• Reference units (deploy-dir-rethink reference-only): deploy/files/usr/local/lib/systemd/system/
• systemd docs (latest, systemd 256+ on Trixie): man systemd.exec, man systemd.unit, man systemd-analyze.
• L4D2 / Source engine docs:
  • SourcePawn (bytecode-interpreted): https://wiki.alliedmods.net/SourcePawn
  • srcds is a Source 2007 engine binary; closed-source, expect surprises.