From eb2f07271931a87b9ba1104b0eec6240e7bf300b Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 24 Sep 2023 10:54:53 +0100
Subject: [PATCH] Add support for BindPaths and BindReadOnlyPaths to
 systemd_service

---
 cookbooks/systemd/resources/service.rb          | 2 ++
 cookbooks/systemd/templates/default/service.erb | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb
index 728009c3f..b8a58a88f 100644
--- a/cookbooks/systemd/resources/service.rb
+++ b/cookbooks/systemd/resources/service.rb
@@ -75,6 +75,8 @@ property :protect_proc, String,
          :is => %w[noaccess invisible ptraceable default]
 property :proc_subset, String,
          :is => %w[all pid]
+property :bind_paths, [String, Array]
+property :bind_read_only_paths, [String, Array]
 property :capability_bounding_set, [String, Array]
 property :ambient_capabilities, [String, Array]
 property :no_new_privileges, [true, false]
diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb
index fb2427de7..01e9e1d4f 100644
--- a/cookbooks/systemd/templates/default/service.erb
+++ b/cookbooks/systemd/templates/default/service.erb
@@ -163,6 +163,12 @@ ProtectProc=<%= @protect_proc %>
 <% if @proc_subset && node[:lsb][:release].to_f >= 22.04 -%>
 ProcSubset=<%= @proc_subset %>
 <% end -%>
+<% if @bind_paths -%>
+BindPaths=<%= Array(@bind_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @bind_read_only_paths -%>
+BindReadOnlyPaths=<%= Array(@bind_read_only_paths).sort.uniq.join(" ") %>
+<% end -%>
 <% if @no_new_privileges -%>
 NoNewPrivileges=<%= @no_new_privileges %>
 <% end -%>
-- 
2.39.5