From cc0f3b1f136163ccaafa745d447d1f3823f8979f Mon Sep 17 00:00:00 2001
From: Christian Schwarz <me@cschwarz.com>
Date: Sun, 27 Oct 2024 21:43:50 +0100
Subject: [PATCH] dist/systemd: remove various Protect* settings (#831)

It pains me to do it, but, especially with hooks, the Protect
settings are too restrictive.

I wish there were a systemd API that allowed us to self-sandbox,
using these settings, _after_ parsing the config.

fixes https://github.com/zrepl/zrepl/issues/735
---
 dist/systemd/zrepl.service | 21 ---------------------
 1 file changed, 21 deletions(-)

diff --git a/dist/systemd/zrepl.service b/dist/systemd/zrepl.service
index 58b849c..f22cfae 100644
--- a/dist/systemd/zrepl.service
+++ b/dist/systemd/zrepl.service
@@ -12,26 +12,5 @@ RuntimeDirectoryMode=0700
 # Make Go produce coredumps
 Environment=GOTRACEBACK='crash'
 
-ProtectSystem=strict
-#PrivateDevices=yes # TODO ZFS needs access to /dev/zfs, could we limit this?
-ProtectKernelTunables=yes
-ProtectControlGroups=yes
-PrivateTmp=yes
-#PrivateUsers=yes # TODO Does not work, why?
-ProtectKernelModules=true
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=true
-RestrictRealtime=yes
-SystemCallArchitectures=native
-
-ProtectHome=read-only
-# ProtectHome=tmpfs totally possible, not by default though because of Debian stretch
-
-# SystemCallFilter
-#   ~@privileged doesn't work with Ubuntu 18.04 ssh
-SystemCallFilter=~ @mount @cpu-emulation @keyring @module @obsolete @raw-io @debug @clock @resources
-# Go1.19 added automatic RLIMIT_NOFILE changes, so, we need to allow that
-SystemCallFilter= setrlimit
-
 [Install]
 WantedBy=multi-user.target