From b562983cbdcc53aa37058484e12235db86a8bb0b Mon Sep 17 00:00:00 2001
From: LaserEyess <16581533+LaserEyess@users.noreply.github.com>
Date: Sun, 24 Dec 2023 21:48:18 -0500
Subject: [PATCH] Harden systemd service (#6391)

This commit includes strict, but still compatible, service hardening for
transmission-daemon.service. The main goal is a defense-in-depth
strategy that protects users from unknown vulnerabilities in
transmission.

In practice, transmission does not use any of the features that are
blocked in this hardening. However, this is still a network facing
daemon that, by design, accepts connections from unknown peers. So
better safe than sorry.

This commit also installs the service via CMake

Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com>
---
 daemon/CMakeLists.txt              |  6 ++++++
 daemon/transmission-daemon.service | 23 ++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/daemon/CMakeLists.txt b/daemon/CMakeLists.txt
index 9a966b09d..bad22a479 100644
--- a/daemon/CMakeLists.txt
+++ b/daemon/CMakeLists.txt
@@ -52,4 +52,10 @@ foreach(P daemon)
             FILES ${TR_NAME}-${P}.1
             DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
     endif()
+
+    if (WITH_SYSTEMD)
+        install(
+            FILES ${TR_NAME}-${P}.service
+            DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
+    endif()
 endforeach()
diff --git a/daemon/transmission-daemon.service b/daemon/transmission-daemon.service
index eaf3d8515..2fceede17 100644
--- a/daemon/transmission-daemon.service
+++ b/daemon/transmission-daemon.service
@@ -8,10 +8,31 @@ User=transmission
 Type=notify
 ExecStart=/usr/bin/transmission-daemon -f --log-level=error
 ExecReload=/bin/kill -s HUP $MAINPID
+
+# Hardening
+CapabilityBoundingSet=
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=true
 NoNewPrivileges=true
 MemoryDenyWriteExecute=true
-ProtectSystem=true
 PrivateTmp=true
+PrivateDevices=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=true
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target