Merge c449994e22 into 1a61e1eea5

untested. partial sandboxing.

README.md

@@ -22,7 +22,7 @@ _____
 ### Via APT (recommended)
 
 ```bash
-echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/azlux.list
+echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bookworm main" | sudo tee /etc/apt/sources.list.d/azlux.list
 sudo wget -O /usr/share/keyrings/azlux-archive-keyring.gpg  https://azlux.fr/repo.gpg
 sudo apt update
 sudo apt install log2ram

log2ram-daily.service

@@ -4,3 +4,20 @@ After=log2ram.service
 
 [Service]
 ExecStart=/bin/systemctl reload log2ram.service
+
+# Sandboxing
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+PrivateDevices=true
+PrivateNetwork=true 
+  #May affect "Mail" in log2ram.conf.
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=strict
+ProtectHome=true 

log2ram.service

@@ -15,5 +15,25 @@ ExecReload=/usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
+# Sandboxing
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+PrivateDevices=true
+PrivateNetwork=true 
+  #May break "MAIL" in log2ram.conf if it points to non-local web address. 
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=true
+  # ALT: ProtectSystem=full # needs rw whitelisting for /var/hdd.log/ 
+ProtectHome=true 
+  #may cause breakage in situations wherein user has configured log2ram to also copy logs from $HOME. 
+  #can probably fix with systemctl edit to whitelist relevant dirs. See: ReadWritePaths=
+
 [Install]
 WantedBy=sysinit.target