1.13.1

- apply changes to the systemd config from Siosm
- revert cargo test patches
- make restart reminder on update smaller
- remove unneccessary daemon-reloading (is triggered by pacman anyway)

Upstream Changelog:
	- New collapsed log messaging, filtering the useless stuff like static file accesses and removing duplicate error messages. To get a more complete logging, use a LOG_LEVEL value of debug or trace.
	- Fix crash when cipher page points to huge file
	- Addded config option to change client IP header, IP_HEADER, by default it's X-Client-IP for backwards compat reasons.
	- Printed current server time when failing TOTP, for easy debugging
	- Protected websockets server against panics
	- Add a logout button on the admin page
	- Add endpoint to delete specific U2F key
	- Updated dependencies

1 files changed, 16 insertions, 1 deletions

diff --git a/bitwarden_rs.service b/bitwarden_rs.service
index 458600a27ea6..c8263ff33640 100644
--- a/bitwarden_rs.service
+++ b/bitwarden_rs.service
@@ -14,16 +14,31 @@ ExecStart=/usr/bin/bitwarden_rs
 # Set reasonable connection and process limits
 LimitNOFILE=1048576
 LimitNPROC=64
-# Isolate bitwarden_rs from the rest of the system
+
+# Prevent bitwarden_rs from doing anything stupid and/or unneccessary.
 PrivateTmp=true
 PrivateDevices=true
+
 ProtectHome=true
 ProtectSystem=strict
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
 # Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
 WorkingDirectory=/var/lib/bitwarden_rs
 ReadWriteDirectories=/var/lib/bitwarden_rs
+
 # Allow bitwarden_rs to bind ports in the range of 0-1024
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+# Restrict bitwarden_rs to only this capability
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target