Lockdown the systemd service
It has a lot of access, perhaps we can restrict it further to reduce our attack surface.
$ systemd-analyze security inspircd.service
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's … 0.5
✓ User=/DynamicUser= Service runs under a static non-r…
✗ CapabilityBoundingSet=~CAP_SET(UI… Service may change UID/GID identi… 0.3
✗ CapabilityBoundingSet=~CAP_SYS_AD… Service has administrator privile… 0.3
✗ CapabilityBoundingSet=~CAP_SYS_PT… Service has ptrace() debugging ab… 0.3
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3
✗ RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3
✗ RestrictAddressFamilies=~… Service may allocate exotic socke… 0.3
✗ CapabilityBoundingSet=~CAP_(CHOWN… Service may change file ownership… 0.2
✗ CapabilityBoundingSet=~CAP_(DAC_*… Service may override UNIX file/IP… 0.2
✗ CapabilityBoundingSet=~CAP_NET_AD… Service has network configuration… 0.2
✗ CapabilityBoundingSet=~CAP_RAWIO Service has raw I/O access 0.2
✗ CapabilityBoundingSet=~CAP_SYS_MO… Service may load kernel modules 0.2
✗ CapabilityBoundingSet=~CAP_SYS_TI… Service processes may change the … 0.2
✗ DeviceAllow= Service has no device ACL 0.2
✗ IPAddressDeny= Service does not define an IP add… 0.2
✓ KeyringMode= Service doesn't share key materia…
✗ NoNewPrivileges= Service processes may acquire new… 0.2
✓ NotifyAccess= Service child processes cannot al…
✗ PrivateDevices= Service potentially has access to… 0.2
✗ PrivateMounts= Service may install system mounts 0.2
✗ PrivateTmp= Service has access to other softw… 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ ProtectControlGroups= Service may modify to the control… 0.2
✗ ProtectHome= Service has full access to home d… 0.2
✗ ProtectKernelModules= Service may load or read kernel m… 0.2
✗ ProtectKernelTunables= Service may alter kernel tunables 0.2
✗ ProtectSystem= Service has full access to the OS… 0.2
✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet socke… 0.2
✗ SystemCallArchitectures= Service may execute system calls … 0.2
✗ SystemCallFilter=~@clock Service does not filter system ca… 0.2
✗ SystemCallFilter=~@debug Service does not filter system ca… 0.2
✗ SystemCallFilter=~@module Service does not filter system ca… 0.2
✗ SystemCallFilter=~@mount Service does not filter system ca… 0.2
✗ SystemCallFilter=~@raw-io Service does not filter system ca… 0.2
✗ SystemCallFilter=~@reboot Service does not filter system ca… 0.2
✗ SystemCallFilter=~@swap Service does not filter system ca… 0.2
✗ SystemCallFilter=~@privileged Service does not filter system ca… 0.2
✗ SystemCallFilter=~@resources Service does not filter system ca… 0.2
✓ AmbientCapabilities= Service process does not receive …
✗ CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1
✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to … 0.1
✗ CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1
✗ CapabilityBoundingSet=~CAP_NET_(B… Service has elevated networking p… 0.1
✗ CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logg… 0.1
✗ CapabilityBoundingSet=~CAP_SYS_(N… Service has privileges to change … 0.1
✗ RestrictNamespaces=~CLONE_NEWCGRO… Service may create cgroup namespa… 0.1
✗ RestrictNamespaces=~CLONE_NEWIPC Service may create IPC namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWNET Service may create network namesp… 0.1
✗ RestrictNamespaces=~CLONE_NEWNS Service may create file system na… 0.1
✗ RestrictNamespaces=~CLONE_NEWPID Service may create process namesp… 0.1
✗ RestrictRealtime= Service may acquire realtime sche… 0.1
✗ SystemCallFilter=~@cpu-emulation Service does not filter system ca… 0.1
✗ SystemCallFilter=~@obsolete Service does not filter system ca… 0.1
✗ RestrictAddressFamilies=~AF_NETLI… Service may allocate netlink sock… 0.1
✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1
✓ SupplementaryGroups= Service has no supplementary grou…
✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1
✗ CapabilityBoundingSet=~CAP_SYS_BO… Service may issue reboot() 0.1
✓ Delegate= Service does not maintain its own…
✗ LockPersonality= Service may change ABI personality 0.1
✗ MemoryDenyWriteExecute= Service may create writable execu… 0.1
✗ RemoveIPC= Service user may leave SysV IPC o… 0.1
✗ RestrictNamespaces=~CLONE_NEWUTS Service may create hostname names… 0.1
✗ UMask= Files created by service are worl… 0.1
✗ CapabilityBoundingSet=~CAP_LINUX_… Service may mark files immutable 0.1
✗ CapabilityBoundingSet=~CAP_IPC_LO… Service may lock memory into RAM 0.1
✗ CapabilityBoundingSet=~CAP_SYS_CH… Service may issue chroot() 0.1
✗ CapabilityBoundingSet=~CAP_BLOCK_… Service may establish wake locks 0.1
✗ CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1
✗ CapabilityBoundingSet=~CAP_SYS_PA… Service may use acct() 0.1
✗ CapabilityBoundingSet=~CAP_SYS_TT… Service may issue vhangup() 0.1
✗ CapabilityBoundingSet=~CAP_WAKE_A… Service may program timers that w… 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
→ Overall exposure level for inspircd.service: 9.1 UNSAFE 😨