Merge c449994e22 into 5cd873123c

untested. partial sandboxing.

log2ram-daily.service

@@ -1,6 +1,24 @@
 [Unit]
 Description=Daily Log2Ram writing activities
 After=log2ram.service
+Documentation=https://github.com/azlux/log2ram
 
 [Service]
 ExecStart=/bin/systemctl reload log2ram.service
+
+# Sandboxing
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+PrivateDevices=true
+PrivateNetwork=true 
+  #May affect "Mail" in log2ram.conf.
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=strict
+ProtectHome=true 

log2ram.service

@@ -6,6 +6,7 @@ After=local-fs.target
 Conflicts=shutdown.target reboot.target halt.target
 RequiresMountsFor=/var/log /var/hdd.log
 IgnoreOnIsolate=yes
+Documentation=https://github.com/azlux/log2ram
 
 [Service]
 Type=oneshot
@@ -15,5 +16,25 @@ ExecReload=/usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
+# Sandboxing
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+PrivateDevices=true
+PrivateNetwork=true 
+  #May break "MAIL" in log2ram.conf if it points to non-local web address. 
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=true
+  # ALT: ProtectSystem=full # needs rw whitelisting for /var/hdd.log/ 
+ProtectHome=true 
+  #may cause breakage in situations wherein user has configured log2ram to also copy logs from $HOME. 
+  #can probably fix with systemctl edit to whitelist relevant dirs. See: ReadWritePaths=
+
 [Install]
 WantedBy=sysinit.target