From 9d78bd48b5db9a83ac6d93d14fa7f901cc10b0a5 Mon Sep 17 00:00:00 2001
From: Jason Rothstein <fdragon@fdragon.org>
Date: Fri, 27 Dec 2024 19:51:12 -0600
Subject: [PATCH] Fedora 41

Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
---
 .../41/usr/lib/systemd/system/httpd.service   | 19 ++++++++++++++++++-
 .../41/usr/lib/systemd/system/httpd@.service  | 19 ++++++++++++++++++-
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/templates/Fedora/41/usr/lib/systemd/system/httpd.service b/templates/Fedora/41/usr/lib/systemd/system/httpd.service
index c5b5e08..b75e28c 100644
--- a/templates/Fedora/41/usr/lib/systemd/system/httpd.service
+++ b/templates/Fedora/41/usr/lib/systemd/system/httpd.service
@@ -26,8 +26,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target
diff --git a/templates/Fedora/41/usr/lib/systemd/system/httpd@.service b/templates/Fedora/41/usr/lib/systemd/system/httpd@.service
index 84424fb..8b20b90 100644
--- a/templates/Fedora/41/usr/lib/systemd/system/httpd@.service
+++ b/templates/Fedora/41/usr/lib/systemd/system/httpd@.service
@@ -19,8 +19,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target