From 564990964d01b146378e253e17f7414ac129e732 Mon Sep 17 00:00:00 2001
From: Julien Voisin <jvoisin@users.noreply.github.com>
Date: Thu, 4 Nov 2021 16:15:42 +0100
Subject: [PATCH] Add a bit of hardening to the systemd service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tested in an unprivileged lxc container, so it shouldn't™ break anything.
---
 debian/jellyfin.service | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/debian/jellyfin.service b/debian/jellyfin.service
index b79cd47c72..e215a85362 100644
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -10,5 +10,27 @@ ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELL
 Restart = on-failure
 TimeoutSec = 15
 
+NoNewPrivileges=true
+SystemCallArchitectures=native
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+ProtectKernelModules=True
+SystemCallFilter=~@clock
+SystemCallFilter=~@aio
+SystemCallFilter=~@chown
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@keyring
+SystemCallFilter=~@memlock
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@setuid
+SystemCallFilter=~@swap
+SystemCallErrorNumber=EPERM
+
+
 [Install]
 WantedBy = multi-user.target