From 955ba865254c8fa3c7363a9fe58abc54c6e70053 Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Sat, 25 Feb 2023 23:26:58 +0100
Subject: [PATCH] Remove some hardening options To strict options prevent
 different services from running. It's better to test these options and
 include them in specific roles.

---
 templates/systemd/php-fpm@.service | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/templates/systemd/php-fpm@.service b/templates/systemd/php-fpm@.service
index 5bb1411..08658b5 100644
--- a/templates/systemd/php-fpm@.service
+++ b/templates/systemd/php-fpm@.service
@@ -26,15 +26,13 @@ RestartSec=30s
 
 # Hardening
 # https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
-LockPersonality=true
-NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
-ProtectSystem=strict
+ProtectSystem=full
 RestrictRealtime=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictNamespaces=true
@@ -42,12 +40,6 @@ SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
 
-ReadWritePaths=-/var/log/
-ReadWritePaths=-{{ php_fpm_log_dir }}/
-ReadWritePaths=-/var/run/
-ReadWritePaths=-/run/
-InaccessiblePaths=-/root/
-
 # Resources
 CPUQuota={{ php_fpm_cpu_quota }}
 MemoryHigh={{ php_fpm_memory_high }}