From 0a45cc71dd3c442e80372a1a7f3f2c154e8f6e2e Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 3 Dec 2019 08:55:28 +0100
Subject: [PATCH] cloud-setup: enable more sandboxing in systemd unit

(cherry picked from commit 667ae99f5dd673f7c2a92f6a4d9ba1e866811003)
---
 clients/cloud-setup/nm-cloud-setup.service.in | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/clients/cloud-setup/nm-cloud-setup.service.in b/clients/cloud-setup/nm-cloud-setup.service.in
index 7d09062760..d81abea2af 100644
--- a/clients/cloud-setup/nm-cloud-setup.service.in
+++ b/clients/cloud-setup/nm-cloud-setup.service.in
@@ -6,3 +6,22 @@ Type=oneshot
 ExecStart=@libexecdir@/nm-cloud-setup
 
 #Environment=NM_CLOUD_SETUP_LOG=TRACE
+
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=@system-service