From a79ea3a5bcea59b6a120ad287674f5a0da7da4b7 Mon Sep 17 00:00:00 2001
From: Rory& <root@rory.gay>
Date: Sun, 28 Dec 2025 10:37:27 +0100
Subject: [PATCH] Reduce service permissions

---
 nix/modules/default/default.nix | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix
index 0cb837e24..767923550 100644
--- a/nix/modules/default/default.nix
+++ b/nix/modules/default/default.nix
@@ -223,10 +223,14 @@ in
                 ++ (if cfg.captchaSiteKeyPath != null then [ "captchaSiteKey:${cfg.captchaSiteKeyPath}" ] else [ ])
                 ++ (if cfg.ipdataApiKeyPath != null then [ "ipdataApiKey:${cfg.ipdataApiKeyPath}" ] else [ ])
                 ++ (if cfg.requestSignaturePath != null then [ "requestSignature:${cfg.requestSignaturePath}" ] else [ ]);
+
               User = "spacebarchat";
               Group = "spacebarchat";
               DynamicUser = false;
+
               LockPersonality = true;
+              NoNewPrivileges = true;
+
               ProtectClock = true;
               ProtectControlGroups = true;
               ProtectHostname = true;
@@ -247,7 +251,34 @@ in
               SystemCallFilter = [
                 "@system-service"
                 "~@privileged"
+                "@chown" # Required for copying files with FICLONE, apparently.
               ];
+              CapabilityBoundingSet=[
+                "~CAP_SYS_ADMIN"
+                "~CAP_AUDIT_*"
+                "~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)"
+                "~CAP_NET_ADMIN" # No use for this as we don't currently use iptables for enforcing instance bans
+                "~CAP_SYS_TIME"
+                "~CAP_KILL"
+                "~CAP_(DAC_*|FOWNER|IPC_OWNER)"
+                "~CAP_LINUX_IMMUTABLE"
+                "~CAP_IPC_LOCK"
+                "~CAP_BPF"
+                "~CAP_SYS_TTY_CONFIG"
+                "~CAP_SYS_BOOT"
+                "~CAP_SYS_CHROOT"
+                "~CAP_BLOCK_SUSPEND"
+                "~CAP_LEASE"
+                "~CAP_(CHOWN|FSETID|FSETFCAP)" # Check if we need CAP_CHOWN for `fchown()` (FICLONE)?
+                "~CAP_SET(UID|GID|PCAP)"
+                "~CAP_MAC_*"
+                "~CAP_SYS_PTRACE"
+                "~CAP_SYS_(NICE|RESOURCE)"
+                "~CAP_SYS_RAWIO"
+                "~CAP_SYSLOG"
+              ];
+              RestrictSUIDSGID = true;
+
               WorkingDirectory = "/var/lib/spacebar";
               StateDirectory = "spacebar";
               StateDirectoryMode = "0750";