From 279b99e101c9d4d25e7ad7ce377623feb85352ea Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Wed, 10 Apr 2019 14:44:28 +0300
Subject: [PATCH] daemon: Harden systemd service

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/daemon/systemd/user/pulseaudio.service.in | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/daemon/systemd/user/pulseaudio.service.in b/src/daemon/systemd/user/pulseaudio.service.in
index 46897bf5a..e2640b6e5 100644
--- a/src/daemon/systemd/user/pulseaudio.service.in
+++ b/src/daemon/systemd/user/pulseaudio.service.in
@@ -17,10 +17,17 @@ Requires=pulseaudio.socket
 ConditionUser=!root
 
 [Service]
+ExecStart=@PA_BINARY@ --daemonize=no
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+Restart=on-failure
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 # Note that notify will only work if --daemonize=no
 Type=notify
-ExecStart=@PA_BINARY@ --daemonize=no
-Restart=on-failure
+UMask=0077
 
 [Install]
 Also=pulseaudio.socket