From 6ec09ead126cf6c4a881c9f9fb540fee38e9eb9e Mon Sep 17 00:00:00 2001
From: Andrea Pappacoda <andrea@pappacoda.it>
Date: Thu, 21 Apr 2022 15:29:52 +0200
Subject: [PATCH] d/php-fpm.service: harden systemd service

Hardening the systemd service unit makes exploiting potential vulnerabilities
much harder, thus improving the security of Debian servers running PHP.

See https://bugs.php.net/72510 and
https://github.com/php/php-src/commit/40c4d7f1820df1872a71ab07fd26da45a203e37f

Closes: #1009964
---
 debian/php-fpm.service | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/debian/php-fpm.service b/debian/php-fpm.service
index 415c0d89f..fcdf4be7d 100644
--- a/debian/php-fpm.service
+++ b/debian/php-fpm.service
@@ -10,5 +10,27 @@ ExecStartPost=-/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock
 ExecStopPost=-/usr/lib/php/php-fpm-socket-helper remove /run/php/php-fpm.sock /etc/php/@PHP_VERSION@/fpm/pool.d/www.conf @PHP_MAJOR@@PHP_MINOR@
 ExecReload=/bin/kill -USR2 $MAINPID
 
+# Hardening - see systemd.exec(5) for details
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
 [Install]
 WantedBy=multi-user.target
-- 
GitLab