From 1abb24e84b4651c57adc42056d3d03a3b87d1d00 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 9 Nov 2022 19:23:46 +0000
Subject: [PATCH] Use default sandboxing for the supybot service

---
 cookbooks/supybot/recipes/default.rb | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/cookbooks/supybot/recipes/default.rb b/cookbooks/supybot/recipes/default.rb
index 6b6d2661e..7545ff331 100644
--- a/cookbooks/supybot/recipes/default.rb
+++ b/cookbooks/supybot/recipes/default.rb
@@ -131,12 +131,8 @@ systemd_service "supybot" do
   after "network.target"
   user "supybot"
   exec_start "/usr/bin/supybot /etc/supybot/supybot.conf"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths ["/etc/supybot", "/var/lib/supybot", "/var/log/supybot"]
-  no_new_privileges true
   restart "on-failure"
 end
 
-- 
2.39.5