From 7d93ba836ed8bf599fd4b1f5513eb5a09780200e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 4 Sep 2024 17:43:24 -0500
Subject: [PATCH] r/restic: Enhance restic-backup security sandbox

Since `restic` needs to run as root in order to back up files regardless
of their permissions, we need to restrict it to doing only that.  Using
systemd sandbox features, especially the capability bounding set, we can
remove all of _root_'s powers except the ability to read all files.
---
 roles/restic/files/restic-backup.service | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/roles/restic/files/restic-backup.service b/roles/restic/files/restic-backup.service
index 65ab554..0602368 100644
--- a/roles/restic/files/restic-backup.service
+++ b/roles/restic/files/restic-backup.service
@@ -10,3 +10,22 @@ Environment=RESTIC_PASSWORD_FILE=%d/restic.password
 Environment=XDG_CACHE_HOME=%C
 EnvironmentFile=-%E/restic/environment
 ExecStart=/usr/bin/restic backup --files-from %E/restic/include --exclude-file %E/restic/exclude --exclude-if-present .nobackup
+CacheDirectory=restic
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=%t
+ReadWritePaths=%T
+ReadWritePaths=%V
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+UMask=0077