From: Tom Hughes <tom@compton.nu>
Date: Wed, 2 Nov 2022 19:27:12 +0000 (+0000)
Subject: Lock down filesystem access for supybot
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/f2c8da6c348697c5fc944923ccaa65aa75b96793

Lock down filesystem access for supybot
---

diff --git a/cookbooks/supybot/recipes/default.rb b/cookbooks/supybot/recipes/default.rb
index 68d8eb744..6b6d2661e 100644
--- a/cookbooks/supybot/recipes/default.rb
+++ b/cookbooks/supybot/recipes/default.rb
@@ -133,8 +133,9 @@ systemd_service "supybot" do
   exec_start "/usr/bin/supybot /etc/supybot/supybot.conf"
   private_tmp true
   private_devices true
-  protect_system true
+  protect_system "strict"
   protect_home true
+  read_write_paths ["/etc/supybot", "/var/lib/supybot", "/var/log/supybot"]
   no_new_privileges true
   restart "on-failure"
 end