From f2c8da6c348697c5fc944923ccaa65aa75b96793 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 2 Nov 2022 19:27:12 +0000
Subject: [PATCH] Lock down filesystem access for supybot

---
 cookbooks/supybot/recipes/default.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cookbooks/supybot/recipes/default.rb b/cookbooks/supybot/recipes/default.rb
index 68d8eb744..6b6d2661e 100644
--- a/cookbooks/supybot/recipes/default.rb
+++ b/cookbooks/supybot/recipes/default.rb
@@ -133,8 +133,9 @@ systemd_service "supybot" do
   exec_start "/usr/bin/supybot /etc/supybot/supybot.conf"
   private_tmp true
   private_devices true
-  protect_system true
+  protect_system "strict"
   protect_home true
+  read_write_paths ["/etc/supybot", "/var/lib/supybot", "/var/log/supybot"]
   no_new_privileges true
   restart "on-failure"
 end
-- 
2.45.1