From 18b8e98e3fbf4e026aff2b02dfd92fbdcf95b439 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@vdwaa.nl>
Date: Sun, 13 Feb 2022 21:06:55 +0100
Subject: [PATCH] Add ProtectSystem and PrivateTmp to systemd service (#1452)

ProtectSystem mounts /boot, /efi and /usr as read only, basically
disallowing the daemon from ever writing there. PrivateTmp sets up a
file system namespace for /tmp and /var/tmp/ basically hiding it from
other processes.

Co-authored-by: Charles Kerr <charles@charleskerr.com>
---
 daemon/transmission-daemon.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/daemon/transmission-daemon.service b/daemon/transmission-daemon.service
index 33a509aa5..b6b92dce2 100644
--- a/daemon/transmission-daemon.service
+++ b/daemon/transmission-daemon.service
@@ -9,6 +9,8 @@ ExecStart=/usr/bin/transmission-daemon -f --log-error
 ExecReload=/bin/kill -s HUP $MAINPID
 NoNewPrivileges=true
 MemoryDenyWriteExecute=true
+ProtectSystem=true
+PrivateTmp=true
 
 [Install]
 WantedBy=multi-user.target