From f7593a175165ca37f52f8542c8eb66a6928c3e52 Mon Sep 17 00:00:00 2001
From: Valentin Lorentz <progval+git@progval.net>
Date: Mon, 18 Sep 2017 19:51:13 +0200
Subject: [PATCH] systemd sandboxing

---
 use/supybot-botchk.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/use/supybot-botchk.rst b/use/supybot-botchk.rst
index ef222eb..21c2743 100644
--- a/use/supybot-botchk.rst
+++ b/use/supybot-botchk.rst
@@ -101,6 +101,11 @@ following content replacing things were suitable::
     Restart=always
     User=BOTUSERNAME
     SyslogIdentifier=Supybot
+    # Uncomment these lines for extra security at the cost of breaking some third-party plugins:
+    # SystemCallFilter=~@raw-io @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
+    # ProtectSystem=strict
+    # ProtectHome=read-only
+    # ReadWritePaths=/home/bot/botname
 
     [Install]
     WantedBy=multi-user.target