From a378dd30cb0226cd9b1ecd5e07f0b98cf446947e Mon Sep 17 00:00:00 2001
From: TubbyCat <100334720+TubbyCat@users.noreply.github.com>
Date: Sat, 16 Jul 2022 22:19:03 -0400
Subject: [PATCH 1/7] Update log2ram-daily.service

---
 log2ram-daily.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/log2ram-daily.service b/log2ram-daily.service
index a8e2933..583adda 100644
--- a/log2ram-daily.service
+++ b/log2ram-daily.service
@@ -4,3 +4,5 @@ After=log2ram.service
 
 [Service]
 ExecStart=/bin/systemctl reload log2ram.service
+
+## insert sandboxing here ##

From e38c73e2d545e5d87f7c0cdae10f91c43eebef26 Mon Sep 17 00:00:00 2001
From: TubbyCat <tubbycat.dev.pub@protonmail.com>
Date: Wed, 24 Aug 2022 22:32:40 -0400
Subject: [PATCH 2/7] Update log2ram.service

untested. partial sandboxing.
---
 log2ram.service | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/log2ram.service b/log2ram.service
index 70c4681..3c575b4 100644
--- a/log2ram.service
+++ b/log2ram.service
@@ -15,5 +15,28 @@ ExecReload= /usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
+#SANDBOXING# -- NEEDS TESTING
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+#PrivateDevices=
+#PrivateNetwork=true 
+  #Will likely break "MAIL" in log2ram.config if does not point to localhost / disabled
+ProtectClock=true
+ProtectControlGroups=
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=full
+  # ALT: ProtectSystem=true # if-and-only-if needs /etc, but can whitelist dir prn 
+ProtectHome=true 
+  #will likely break situations wherein configured to also copy logs from $HOME. 
+  #can probably fix with systemctl edit to whitelist relevant dirs 
+
+
+
+
 [Install]
 WantedBy=sysinit.target

From 02e7e6bcbd2de9717adce58f12799f0710e0e7f2 Mon Sep 17 00:00:00 2001
From: TubbyCat <tubbycat.dev.pub@protonmail.com>
Date: Wed, 24 Aug 2022 22:33:28 -0400
Subject: [PATCH 3/7] Update log2ram.service

---
 log2ram.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/log2ram.service b/log2ram.service
index 3c575b4..ec13e11 100644
--- a/log2ram.service
+++ b/log2ram.service
@@ -23,7 +23,7 @@ NoNewPriviliges=true
 #PrivateNetwork=true 
   #Will likely break "MAIL" in log2ram.config if does not point to localhost / disabled
 ProtectClock=true
-ProtectControlGroups=
+ProtectControlGroups=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true

From 69bc7a5cbe220e57a79a9f5f998625d7ff62d3d5 Mon Sep 17 00:00:00 2001
From: TubbyCat <tubbycat.dev.pub@protonmail.com>
Date: Thu, 25 Aug 2022 00:00:05 -0400
Subject: [PATCH 4/7] Update log2ram.service

---
 log2ram.service | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/log2ram.service b/log2ram.service
index ec13e11..3dc8a22 100644
--- a/log2ram.service
+++ b/log2ram.service
@@ -15,12 +15,12 @@ ExecReload= /usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
-#SANDBOXING# -- NEEDS TESTING
+#SANDBOXING# -- partly tested
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPriviliges=true
-#PrivateDevices=
-#PrivateNetwork=true 
+PrivateDevices=true
+PrivateNetwork=true 
   #Will likely break "MAIL" in log2ram.config if does not point to localhost / disabled
 ProtectClock=true
 ProtectControlGroups=true
@@ -29,8 +29,8 @@ ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 RestrictSUIDSGID=true
-ProtectSystem=full
-  # ALT: ProtectSystem=true # if-and-only-if needs /etc, but can whitelist dir prn 
+ProtectSystem=true
+  # ALT: ProtectSystem=full # needs rw whitelisting for /var/hdd.log/ 
 ProtectHome=true 
   #will likely break situations wherein configured to also copy logs from $HOME. 
   #can probably fix with systemctl edit to whitelist relevant dirs 

From 7f2f8d20dbbb684453b698b7580523e2dab89302 Mon Sep 17 00:00:00 2001
From: TubbyCat <tubbycat.dev.pub@protonmail.com>
Date: Thu, 25 Aug 2022 16:28:09 -0400
Subject: [PATCH 5/7] Update log2ram-daily.service

---
 log2ram-daily.service | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/log2ram-daily.service b/log2ram-daily.service
index 583adda..fee0058 100644
--- a/log2ram-daily.service
+++ b/log2ram-daily.service
@@ -5,4 +5,19 @@ After=log2ram.service
 [Service]
 ExecStart=/bin/systemctl reload log2ram.service
 
-## insert sandboxing here ##
+# Sandboxing
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPriviliges=true
+PrivateDevices=true
+PrivateNetwork=true 
+  #May affect "Mail" in log2ram.conf.
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictSUIDSGID=true
+ProtectSystem=strict
+ProtectHome=true 

From c7aef205b10d74769cda650d742c00020b4c0cb6 Mon Sep 17 00:00:00 2001
From: TubbyCat <tubbycat.dev.pub@protonmail.com>
Date: Thu, 25 Aug 2022 16:31:47 -0400
Subject: [PATCH 6/7] Update log2ram.service

---
 log2ram.service | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/log2ram.service b/log2ram.service
index 3dc8a22..1d6ba23 100644
--- a/log2ram.service
+++ b/log2ram.service
@@ -15,13 +15,13 @@ ExecReload= /usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
-#SANDBOXING# -- partly tested
+# SANDBOXING
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPriviliges=true
 PrivateDevices=true
 PrivateNetwork=true 
-  #Will likely break "MAIL" in log2ram.config if does not point to localhost / disabled
+  #Will likely break "MAIL" in log2ram.config if does not point to localhost or is unused. 
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
@@ -35,8 +35,5 @@ ProtectHome=true
   #will likely break situations wherein configured to also copy logs from $HOME. 
   #can probably fix with systemctl edit to whitelist relevant dirs 
 
-
-
-
 [Install]
 WantedBy=sysinit.target

From c449994e2272b156b3163df44a5c43abc1145498 Mon Sep 17 00:00:00 2001
From: TubbyCat <tubbycat.dev.pub@protonmail.com>
Date: Thu, 25 Aug 2022 18:31:43 -0400
Subject: [PATCH 7/7] Update log2ram.service

---
 log2ram.service | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/log2ram.service b/log2ram.service
index 1d6ba23..130efb1 100644
--- a/log2ram.service
+++ b/log2ram.service
@@ -15,13 +15,13 @@ ExecReload= /usr/local/bin/log2ram write
 TimeoutStartSec=120
 RemainAfterExit=yes
 
-# SANDBOXING
+# Sandboxing
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPriviliges=true
 PrivateDevices=true
 PrivateNetwork=true 
-  #Will likely break "MAIL" in log2ram.config if does not point to localhost or is unused. 
+  #May break "MAIL" in log2ram.conf if it points to non-local web address. 
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
@@ -32,8 +32,8 @@ RestrictSUIDSGID=true
 ProtectSystem=true
   # ALT: ProtectSystem=full # needs rw whitelisting for /var/hdd.log/ 
 ProtectHome=true 
-  #will likely break situations wherein configured to also copy logs from $HOME. 
-  #can probably fix with systemctl edit to whitelist relevant dirs 
+  #may cause breakage in situations wherein user has configured log2ram to also copy logs from $HOME. 
+  #can probably fix with systemctl edit to whitelist relevant dirs. See: ReadWritePaths=
 
 [Install]
 WantedBy=sysinit.target