From 4f0d2f55e141760b768a735dfbf89d5ed4327bd3 Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Sat, 25 Feb 2023 20:32:51 +0100
Subject: [PATCH] Add more hardening options

---
 templates/systemd/php-fpm@.service | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/templates/systemd/php-fpm@.service b/templates/systemd/php-fpm@.service
index b9154c7..295b0de 100644
--- a/templates/systemd/php-fpm@.service
+++ b/templates/systemd/php-fpm@.service
@@ -26,18 +26,29 @@ RestartSec=30s
 
 # Hardening
 # https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
+LockPersonality=true
+NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
-ProtectSystem=full
+ProtectSystem=strict
 RestrictRealtime=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictNamespaces=true
-SystemCallFilter=@system-service
+SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+ReadWritePaths=-/var/log/
+ReadWritePaths=-{{ php_fpm_log_dir }}
+ReadWritePaths=-/var/run/
+ReadWritePaths=-/run/
+InaccessiblePaths=-/root/
+RuntimeDirectory=php
+RuntimeDirectoryPreserve=yes
 
 [Install]
 WantedBy=multi-user.target