From 654d82f8884f11804c7b20f9a092807e3bd95de9 Mon Sep 17 00:00:00 2001
From: Robert Helgesson <robert@rycee.net>
Date: Sat, 14 Aug 2021 13:25:54 +0200
Subject: [PATCH] syncthing: add more service sandboxing

---
 modules/services/syncthing.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix
index c9def213d..168566156 100644
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@@ -61,8 +61,15 @@ with lib;
             Restart = "on-failure";
             SuccessExitStatus = [ 3 4 ];
             RestartForceExitStatus = [ 3 4 ];
+
+            # Sandboxing.
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
             NoNewPrivileges = true;
             PrivateUsers = true;
+            RestrictNamespaces = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = "@system-service";
           };
 
           Install = { WantedBy = [ "default.target" ]; };