Implement systemd service security features

3 files changed, 22 insertions, 2 deletions

diff --git a/.SRCINFO b/.SRCINFO
index eba1757a229a..77bc54906cf8 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = dnsproxy-adguard
 	pkgdesc = Simple DNS proxy with DoH, DoT, and DNSCrypt support by AdguardTeam
 	pkgver = 0.51.0
-	pkgrel = 2
+	pkgrel = 3
 	url = https://github.com/AdguardTeam/dnsproxy
 	arch = x86_64
 	arch = aarch64
diff --git a/PKGBUILD b/PKGBUILD
index aace1285ea27..92ceeaf5a484 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,7 @@
 _projectname=dnsproxy
 pkgname=dnsproxy-adguard
 pkgver=0.51.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Simple DNS proxy with DoH, DoT, and DNSCrypt support by AdguardTeam"
 arch=('x86_64' 'aarch64')
 url="https://github.com/AdguardTeam/dnsproxy"
diff --git a/dnsproxy-adguard.service b/dnsproxy-adguard.service
index 8f079b8a2e98..77bfe3004d53 100644
--- a/dnsproxy-adguard.service
+++ b/dnsproxy-adguard.service
@@ -13,5 +13,25 @@ ExecStart=/usr/bin/dnsproxy-adguard -l $ADDRESS -p $PORT $UPSTREAMS $OTHER_PARAM
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=noaccess
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
 [Install]
 WantedBy=multi-user.target