Hello,
as part of the effort to package LOOL for NixOS, I've been trying to use the systemd sandboxing options[1] with loolwsd. They are a simple way of isolating the daemon from the rest of the system.
I don't have a non-NixOS setup to test these and don't want to create untested gerrit change. Would anyone be interested in testing the attached patch and submitting it if it works?
Cheers,
Martin
[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing
diff --git a/loolwsd.service b/loolwsd.service
index 93e98fd67..8845569fb 100644
--- a/loolwsd.service
+++ b/loolwsd.service
@@ -11,5 +11,24 @@ User=lool
KillMode=control-group
Restart=always
+ProtectSystem=strict
+ReadWritePaths=/opt/lool
+
+ProtectHome=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+LockPersonality=yes
+#MemoryDenyWriteExecute=yes # probably breaks java
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+AmbientCapabilities=CAP_FOWNER CAP_MKNOD CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_FOWNER CAP_MKNOD CAP_SYS_CHROOT
+
[Install]
WantedBy=multi-user.target
_______________________________________________
LibreOffice mailing list
LibreOffice@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/libreoffice
