From 9b6bc980869aaa77d5119e03d2ae710fa39fdbee Mon Sep 17 00:00:00 2001
From: surtur <a_mirre@utb.cz>
Date: Wed, 20 Apr 2022 16:51:05 +0200
Subject: [PATCH] tighten Capabilities and SystemCallFilter list

---
 etc/systemd/system/drone.service | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/etc/systemd/system/drone.service b/etc/systemd/system/drone.service
index 85cc514..ffd91af 100644
--- a/etc/systemd/system/drone.service
+++ b/etc/systemd/system/drone.service
@@ -16,6 +16,9 @@ IOSchedulingClass=1
 IOSchedulingPriority=0
 
 CapabilityBoundingSet=
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*
+
+SystemCallFilter=~memfd_create @reboot @swap @resources @cpu-emulation @debug @module @clock @raw-io @obsolete
 # ProtectProc=invisible
 ProtectHome=true
 RestrictNamespaces=uts ipc pid user cgroup