From a9a80ab3722153a12f3b1ea216856808ba007d33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Frederik=20=E2=80=9CFreso=E2=80=9D=20S=2E=20Olesen?=
 <177659+Freso@users.noreply.github.com>
Date: Fri, 25 Dec 2020 00:14:58 +0000
Subject: [PATCH] tailscaled.service: Harden systemd unit somewhat (#1062)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

While not a full capability lockdown of the systemd unit, this still
improves sandboxing and security of the running process a good deal.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
---
 cmd/tailscaled/tailscaled.service | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cmd/tailscaled/tailscaled.service b/cmd/tailscaled/tailscaled.service
index 71dc89f1b..447b9cb21 100644
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -20,5 +20,16 @@ CacheDirectory=tailscale
 CacheDirectoryMode=0750
 Type=notify
 
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target