From 8632c838815b23b362276e49c115041f2417fc11 Mon Sep 17 00:00:00 2001
From: Ryan Crosby <ryan.crosby@live.com>
Date: Tue, 7 Sep 2021 01:34:23 +1000
Subject: [PATCH] Harden systemd unit file

Use simple invocation type instead of forking daemon

Add alternative unit file for /usr/local installs

Add /opt/ systemd unit variant

Fix comments

Add 3GB memory limit to systemd unit

Restore newlines at end of systemd unit files

Remove "via official sources" comment from the opt systemd unit file

Use term "variant" instead of "variation" since the former is more
specific and correct for this context

Correct dogecoin package directory from "dogecoind" to "dogecoin"

Use tarball bin path

Co-authored-by: Patrick Lodder <patricklodder@users.noreply.github.com>
---
 contrib/init/dogecoind.local.service | 73 +++++++++++++++++++++++++++
 contrib/init/dogecoind.opt.service   | 74 ++++++++++++++++++++++++++++
 contrib/init/dogecoind.service       | 69 ++++++++++++++++++++++----
 3 files changed, 207 insertions(+), 9 deletions(-)
 create mode 100644 contrib/init/dogecoind.local.service
 create mode 100644 contrib/init/dogecoind.opt.service

diff --git a/contrib/init/dogecoind.local.service b/contrib/init/dogecoind.local.service
new file mode 100644
index 000000000..66d84b75d
--- /dev/null
+++ b/contrib/init/dogecoind.local.service
@@ -0,0 +1,73 @@
+# This variant of the unit file is for local installations that are installed with `make install`.
+#
+# The relevant paths are:
+#
+#/usr/local/bin/dogecoind
+#/usr/local/etc/dogecoin/
+#/var/local/dogecoin/
+
+[Unit]
+Description=Dogecoin's distributed currency daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/dogecoind -conf=/usr/local/etc/dogecoin/dogecoin.conf -datadir=/var/local/dogecoin
+
+KillSignal=SIGINT
+Restart=always
+RestartSec=5
+TimeoutStopSec=60
+TimeoutStartSec=5
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
+User=dogecoin
+Group=dogecoin
+
+### Restrict resource consumption
+MemoryAccounting=yes
+MemoryLimit=3g
+
+### Restrict access to host file system.
+#
+# Hide the entire root file system by default, and *only* mount in exactly what is needed.
+#
+
+TemporaryFileSystem=/:ro
+
+# Add core dependencies
+BindReadOnlyPaths=/etc/ /lib/ /lib64/
+
+# Add daemon paths
+BindReadOnlyPaths=/usr/local/bin/dogecoind /usr/local/etc/dogecoin/
+BindPaths=/var/local/dogecoin/
+
+### Restrict access to system.
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+DevicePolicy=closed
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+
+# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
+# since it remounts root as read only over the top.
+# In this case, do not enable ProtectSystem.
+#ProtectSystem=strict
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/init/dogecoind.opt.service b/contrib/init/dogecoind.opt.service
new file mode 100644
index 000000000..42cb73f45
--- /dev/null
+++ b/contrib/init/dogecoind.opt.service
@@ -0,0 +1,74 @@
+# This variant of the unit file is for "opt" add-on installations that do not form part of the default installation.
+# (i.e. out of band installations by the user, not installed by a system package manager like "apt")
+#
+# The relevant paths are:
+#
+#/opt/dogecoin/dogecoind
+#/etc/opt/dogecoin/
+#/var/opt/dogecoin/
+
+[Unit]
+Description=Dogecoin's distributed currency daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/dogecoin/bin/dogecoind -conf=/etc/opt/dogecoin/dogecoin.conf -datadir=/var/opt/dogecoin
+
+KillSignal=SIGINT
+Restart=always
+RestartSec=5
+TimeoutStopSec=60
+TimeoutStartSec=5
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
+User=dogecoin
+Group=dogecoin
+
+### Restrict resource consumption
+MemoryAccounting=yes
+MemoryLimit=3g
+
+### Restrict access to host file system.
+#
+# Hide the entire root file system by default, and *only* mount in exactly what is needed.
+#
+
+TemporaryFileSystem=/:ro
+
+# Add core dependencies
+BindReadOnlyPaths=/etc/ /lib/ /lib64/
+
+# Add daemon paths
+BindReadOnlyPaths=/opt/dogecoin/ /etc/opt/dogecoin/
+BindPaths=/var/opt/dogecoin/
+
+### Restrict access to system.
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+DevicePolicy=closed
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+
+# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
+# since it remounts root as read only over the top.
+# In this case, do not enable ProtectSystem.
+#ProtectSystem=strict
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/init/dogecoind.service b/contrib/init/dogecoind.service
index 159222280..1a9ac80c3 100644
--- a/contrib/init/dogecoind.service
+++ b/contrib/init/dogecoind.service
@@ -1,22 +1,73 @@
+# This variant of the unit file is for package installations.
+#
+# The relevant paths are:
+#
+#/usr/bin/dogecoind
+#/etc/dogecoin/
+#/var/lib/dogecoin/
+
 [Unit]
 Description=Dogecoin's distributed currency daemon
 After=network.target
 
 [Service]
+Type=simple
+ExecStart=/usr/bin/dogecoind -conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoin
+
+KillSignal=SIGINT
+Restart=always
+RestartSec=5
+TimeoutStopSec=60
+TimeoutStartSec=5
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
 User=dogecoin
 Group=dogecoin
 
-Type=forking
-PIDFile=/var/lib/dogecoind/dogecoind.pid
-ExecStart=/usr/bin/dogecoind -daemon -pid=/var/lib/dogecoind/dogecoind.pid \
--conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoind -disablewallet
+### Restrict resource consumption
+MemoryAccounting=yes
+MemoryLimit=3g
 
-Restart=always
+### Restrict access to host file system.
+#
+# Hide the entire root file system by default, and *only* mount in exactly what is needed.
+#
+
+TemporaryFileSystem=/:ro
+
+# Add core dependencies
+BindReadOnlyPaths=/etc/ /lib/ /lib64/
+
+# Add daemon paths
+BindReadOnlyPaths=/usr/bin/dogecoind /etc/dogecoin/
+BindPaths=/var/lib/dogecoin
+
+### Restrict access to system.
+
+NoNewPrivileges=true
 PrivateTmp=true
-TimeoutStopSec=60s
-TimeoutStartSec=2s
-StartLimitInterval=120s
-StartLimitBurst=5
+PrivateDevices=true
+PrivateUsers=true
+DevicePolicy=closed
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+
+# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
+# since it remounts root as read only over the top.
+# In this case, do not enable ProtectSystem.
+#ProtectSystem=strict
 
 [Install]
 WantedBy=multi-user.target