From 6d1bfd687106fcb4a75e0d225d77153f2b9c581d Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Tue, 24 Jan 2017 12:39:20 -0500
Subject: [PATCH] mail-mta/postfix: additional systemd hardening

Other distributions are doing the same thing, and these additions are recommended by systemd. See https://lwn.net/Articles/709755/

(cherry picked from commit 388f5cae8b89039f285a66651bc70d662a9d8e57)
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Fixes: https://github.com/gentoo/gentoo/pull/3629
---
 mail-mta/postfix/files/postfix.service | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/mail-mta/postfix/files/postfix.service b/mail-mta/postfix/files/postfix.service
index 585849e978b3d..db585b3e29dbe 100644
--- a/mail-mta/postfix/files/postfix.service
+++ b/mail-mta/postfix/files/postfix.service
@@ -15,6 +15,12 @@ ProtectSystem=full
 ReadWritePaths=-/etc/mail/aliases.db
 CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
 MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
 
 [Install]
 WantedBy=multi-user.target