From 166ddebdbce7df504abaf17bd6ccc1b99c777906 Mon Sep 17 00:00:00 2001
From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
Date: Tue, 13 Jun 2023 12:45:18 +0200
Subject: [PATCH 1/3] Add no_new_privs to OpenRC service files

---
 installation/init.d/akkoma           | 1 +
 rel/files/installation/init.d/akkoma | 1 +
 2 files changed, 2 insertions(+)

diff --git a/installation/init.d/akkoma b/installation/init.d/akkoma
index 6c1973db4..bd17516f2 100755
--- a/installation/init.d/akkoma
+++ b/installation/init.d/akkoma
@@ -8,6 +8,7 @@ pidfile="/var/run/akkoma.pid"
 directory=/opt/akkoma
 healthcheck_delay=60
 healthcheck_timer=30
+no_new_privs="yes"
 
 : ${akkoma_port:-4000}
 
diff --git a/rel/files/installation/init.d/akkoma b/rel/files/installation/init.d/akkoma
index ea6ea3580..492a0debe 100755
--- a/rel/files/installation/init.d/akkoma
+++ b/rel/files/installation/init.d/akkoma
@@ -9,6 +9,7 @@ command=/opt/akkoma/bin/pleroma
 command_args="start"
 command_user=akkoma
 command_background=1
+no_new_privs="yes"
 
 # Ask process to terminate within 30 seconds, otherwise kill it
 retry="SIGTERM/30/SIGKILL/5"

From a86b010e103771ada1b50ef8ac22e3d791f1a919 Mon Sep 17 00:00:00 2001
From: Norm <normandy@biribiri.dev>
Date: Thu, 29 Jun 2023 02:14:04 -0400
Subject: [PATCH 2/3] Add NoNewPrivileges to systemd service file for source
 installs

This setting already exists in the OTP installation directory, but
doesn't for the one used by source installs.
---
 installation/akkoma.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/installation/akkoma.service b/installation/akkoma.service
index 2c381ad0d..717693495 100644
--- a/installation/akkoma.service
+++ b/installation/akkoma.service
@@ -38,6 +38,8 @@ ProtectHome=true
 ProtectSystem=full
 ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
 PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve(). 
+NoNewPrivileges=true
 ; Drops the sysadmin capability from the daemon.
 CapabilityBoundingSet=~CAP_SYS_ADMIN
 

From db645563062e6169777cc0eadf172ee282f067b2 Mon Sep 17 00:00:00 2001
From: Norm <normandy@biribiri.dev>
Date: Thu, 29 Jun 2023 02:15:32 -0400
Subject: [PATCH 3/3] Record no_new_privs hardening to changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7a81aad09..c2f3757fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Deactivated users can no longer show up in the emoji reaction list
 - Embedded posts can no longer bypass `:restrict\_unauthenticated`
 
+## Security
+
+- Add `no_new_privs` hardening to OpenRC and systemd service files
+
 ## 2023.05
 
 ## Added