From 0678a95352b91214f673201ca15d90a240974dcf Mon Sep 17 00:00:00 2001
From: Muhammad Talal Anwar <talalanwar@outlook.com>
Date: Fri, 18 Oct 2024 22:20:18 +0200
Subject: [PATCH] espanso: add sandboxing for systemd service

---
 modules/services/espanso.nix                             | 9 +++++++++
 .../modules/services/espanso/basic-configuration.service | 7 +++++++
 2 files changed, 16 insertions(+)

diff --git a/modules/services/espanso.nix b/modules/services/espanso.nix
index f6e27e7965be..b9528b8eff14 100644
--- a/modules/services/espanso.nix
+++ b/modules/services/espanso.nix
@@ -124,6 +124,15 @@ in {
         Type = "exec";
         ExecStart = "${cfg.package}/bin/espanso daemon";
         Restart = "on-failure";
+
+        # Sandboxing.
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateUsers = true;
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
       };
       Install = { WantedBy = [ "default.target" ]; };
     };
diff --git a/tests/modules/services/espanso/basic-configuration.service b/tests/modules/services/espanso/basic-configuration.service
index 593196e5952c..822459e96fb5 100644
--- a/tests/modules/services/espanso/basic-configuration.service
+++ b/tests/modules/services/espanso/basic-configuration.service
@@ -3,7 +3,14 @@ WantedBy=default.target
 
 [Service]
 ExecStart=@espanso@/bin/espanso daemon
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateUsers=true
 Restart=on-failure
+RestrictNamespaces=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 Type=exec
 
 [Unit]