From df8d991b241d3eec80a621372f0c80a59abbfdae Mon Sep 17 00:00:00 2001
From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 23 Nov 2018 12:10:59 +0100
Subject: [PATCH] uuidd: Add hardening settings to uuidd.service

This limits what the uuid daemon has access to when it runs.

Further improving this with additional option or making
things even tighter is most likely possible.

Signed-off-by: Andreas Henriksson <andreas@fatal.se>
---
 misc-utils/uuidd.service.in | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index a43b3c3e078..b4c9c463500 100644
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -8,6 +8,17 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
 Restart=no
 User=uuidd
 Group=uuidd
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateUsers=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
 
 [Install]
 Also=uuidd.socket