maybe we should restrict some of the unnecessary privileges in the systemd unit.

[hexylena]

$ systemd-analyze security galaxy | tail
✗ CapabilityBoundingSet=~CAP_SYS_CHROOT                       Service may issue chroot()                                                   0.1
✗ ProtectHostname=                                            Service may change system host/domainname                                    0.1
✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND                    Service may establish wake locks                                             0.1
✗ CapabilityBoundingSet=~CAP_LEASE                            Service may create file leases                                               0.1
✗ CapabilityBoundingSet=~CAP_SYS_PACCT                        Service may use acct()                                                       0.1
✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG                   Service may issue vhangup()                                                  0.1
✗ CapabilityBoundingSet=~CAP_WAKE_ALARM                       Service may program timers that wake up the system                           0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                           0.1

→ Overall exposure level for galaxy.service: 9.2 UNSAFE 😨

[hexylena]

# Doesn't seem to be working
SystemCallFilter=~@clock @obsolete @privileged
# The rest do
CapabilityBoundingSet=CAP_KILL CAP_CHOWN CAP_FSETID CAP_SETFCAP
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=~cgroup ipc net mnt pid user uts
RestrictRealtime=yes
LockPersonality=yes
PrivateDevices=yes
PrivateTmp=yes
RestrictSUIDSGID=yes
ProtectControlGroups=yes
ProtectSystem=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
NoNewPrivileges=yes

get us down to

→ Overall exposure level for galaxy.service: 4.4 OK 🙂

with what seems to be no issues.