+ declarative user+data folder, clean up .install

- apply changes to the systemd config from Siosm (https://github.com/Siosm/archlinux-bitwarden_rs-postgresql/commit/8862da33b998059ba593e17052b03b0b9d457ad6)
	- harden .service file some more
	- add sysusers and tmpfiles integration
	- remove unneccessary daemon-reloading (is triggered by pacman anyway) in .install file
- make restart reminder on update smaller

1 files changed, 16 insertions, 1 deletions

diff --git a/bitwarden_rs.service b/bitwarden_rs.service
index 458600a27ea6..c8263ff33640 100644
--- a/bitwarden_rs.service
+++ b/bitwarden_rs.service
@@ -14,16 +14,31 @@ ExecStart=/usr/bin/bitwarden_rs
 # Set reasonable connection and process limits
 LimitNOFILE=1048576
 LimitNPROC=64
-# Isolate bitwarden_rs from the rest of the system
+
+# Prevent bitwarden_rs from doing anything stupid and/or unneccessary.
 PrivateTmp=true
 PrivateDevices=true
+
 ProtectHome=true
 ProtectSystem=strict
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
 # Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
 WorkingDirectory=/var/lib/bitwarden_rs
 ReadWriteDirectories=/var/lib/bitwarden_rs
+
 # Allow bitwarden_rs to bind ports in the range of 0-1024
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+# Restrict bitwarden_rs to only this capability
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target