From bdc32cee90e099a49214c0b5315ea429959ea8c1 Mon Sep 17 00:00:00 2001
From: FedericoYundt <FedericoYundt@users.noreply.github.com>
Date: Sat, 24 Mar 2018 18:06:40 +0000
Subject: [PATCH] Add optional hardening to systemd service (#259)

---
 systemd/dnscrypt-proxy.service | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/systemd/dnscrypt-proxy.service b/systemd/dnscrypt-proxy.service
index 43c0e22f..03de0018 100644
--- a/systemd/dnscrypt-proxy.service
+++ b/systemd/dnscrypt-proxy.service
@@ -13,6 +13,15 @@ WantedBy=multi-user.target
 [Service]
 Type=simple
 NonBlocking=true
+ProtectHome=true
 
 # Change this
 ExecStart=/opt/dnscrypt-proxy/dnscrypt-proxy
+
+# Run dnscrypt-proxy as unprivileged user with
+# temporary assigned UID/GID. See man:systemd.exec
+# for more info. Requires systemd 232+.
+#DynamicUser=yes
+#CacheDirectory=dnscrypt-proxy
+#LogsDirectory=dnscrypt-proxy
+#RuntimeDirectory=dnscrypt-proxy