From 9a2b88cb1fe19a7b71f5713e4d4685673a6cccdd Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Sun, 12 Dec 2021 16:57:35 -0500
Subject: [PATCH 1/4] Revert some hardening that breaks LXC

For each of these, we should be OK since we run as an unprivileged user
anyways.
---
 debian/jellyfin.service | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/debian/jellyfin.service b/debian/jellyfin.service
index 071f949dd9..ce0a3cf3db 100644
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -13,17 +13,17 @@ TimeoutSec = 15
 NoNewPrivileges=true
 SystemCallArchitectures=native
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=true
+RestrictNamespaces=false
 RestrictRealtime=true
 RestrictSUIDSGID=true
 ProtectClock=true
-ProtectControlGroups=true
+ProtectControlGroups=false
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
+ProtectKernelLogs=false
+ProtectKernelModules=false
+ProtectKernelTunables=false
 LockPersonality=true
-PrivateTmp=true
+PrivateTmp=false
 PrivateDevices=false
 PrivateUsers=true
 RemoveIPC=true

From fcf5b9b46e7d120904fdafb3df726b1a1309660d Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Sun, 12 Dec 2021 17:01:35 -0500
Subject: [PATCH 2/4] Unify and standardize unit files between deb/rpm

Ensures that the RPM service unit has all the tweaks from the Deb
service unit, and some in the other direction too.
---
 debian/jellyfin.service |  3 ++-
 fedora/jellyfin.service | 55 +++++++++++++++++++++++++++++++++--------
 2 files changed, 47 insertions(+), 11 deletions(-)

diff --git a/debian/jellyfin.service b/debian/jellyfin.service
index ce0a3cf3db..a999b76bec 100644
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -6,6 +6,8 @@ After = network-online.target
 Type = simple
 EnvironmentFile = /etc/default/jellyfin
 User = jellyfin
+Group = jellyfin
+WorkingDirectory = /var/lib/jellyfin
 ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
 Restart = on-failure
 TimeoutSec = 15
@@ -44,6 +46,5 @@ SystemCallFilter=~@setuid
 SystemCallFilter=~@swap
 SystemCallErrorNumber=EPERM
 
-
 [Install]
 WantedBy = multi-user.target
diff --git a/fedora/jellyfin.service b/fedora/jellyfin.service
index f706b0ad3f..f2bb2d5f20 100644
--- a/fedora/jellyfin.service
+++ b/fedora/jellyfin.service
@@ -1,15 +1,50 @@
 [Unit]
-After=network-online.target
-Description=Jellyfin is a free software media system that puts you in control of managing and streaming your media.
+Description = Jellyfin Media Server
+After = network-online.target
 
 [Service]
-EnvironmentFile=/etc/sysconfig/jellyfin
-WorkingDirectory=/var/lib/jellyfin
-ExecStart=/usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT}
-TimeoutSec=15
-Restart=on-failure
-User=jellyfin
-Group=jellyfin
+Type = simple
+EnvironmentFile = /etc/sysconfig/jellyfin
+User = jellyfin
+Group = jellyfin
+WorkingDirectory = /var/lib/jellyfin
+ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
+Restart = on-failure
+TimeoutSec = 15
+
+NoNewPrivileges=true
+SystemCallArchitectures=native
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=false
+RestrictRealtime=true
+RestrictSUIDSGID=true
+ProtectClock=true
+ProtectControlGroups=false
+ProtectHostname=true
+ProtectKernelLogs=false
+ProtectKernelModules=false
+ProtectKernelTunables=false
+LockPersonality=true
+PrivateTmp=false
+PrivateDevices=false
+PrivateUsers=true
+RemoveIPC=true
+SystemCallFilter=~@clock
+SystemCallFilter=~@aio
+SystemCallFilter=~@chown
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@keyring
+SystemCallFilter=~@memlock
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@setuid
+SystemCallFilter=~@swap
+SystemCallErrorNumber=EPERM
 
 [Install]
-WantedBy=multi-user.target
+WantedBy = multi-user.target

From 1d7a524d82deab5f331d85fce30e26518845a4f3 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Tue, 15 Mar 2022 20:27:12 -0400
Subject: [PATCH 3/4] Add SuccessExitStatus for exit 143

Fixes #3182
---
 debian/jellyfin.service | 1 +
 fedora/jellyfin.service | 1 +
 2 files changed, 2 insertions(+)

diff --git a/debian/jellyfin.service b/debian/jellyfin.service
index 12ae18a219..064e105373 100644
--- a/debian/jellyfin.service
+++ b/debian/jellyfin.service
@@ -11,6 +11,7 @@ WorkingDirectory = /var/lib/jellyfin
 ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
 Restart = on-failure
 TimeoutSec = 15
+SuccessExitStatus=0 143
 
 NoNewPrivileges=true
 SystemCallArchitectures=native
diff --git a/fedora/jellyfin.service b/fedora/jellyfin.service
index f2bb2d5f20..1193ddb5be 100644
--- a/fedora/jellyfin.service
+++ b/fedora/jellyfin.service
@@ -11,6 +11,7 @@ WorkingDirectory = /var/lib/jellyfin
 ExecStart = /usr/bin/jellyfin ${JELLYFIN_WEB_OPT} ${JELLYFIN_RESTART_OPT} ${JELLYFIN_FFMPEG_OPT} ${JELLYFIN_SERVICE_OPT} ${JELLYFIN_NOWEBAPP_OPT} ${JELLYFIN_ADDITIONAL_OPTS}
 Restart = on-failure
 TimeoutSec = 15
+SuccessExitStatus=0 143
 
 NoNewPrivileges=true
 SystemCallArchitectures=native

From 93f569d286825eee32a682521cf832f60713a931 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Sat, 19 Mar 2022 12:27:48 -0400
Subject: [PATCH 4/4] Add comment about sysv options

---
 debian/conf/jellyfin | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/conf/jellyfin b/debian/conf/jellyfin
index ab8d5d1d4d..2f0630a9ce 100644
--- a/debian/conf/jellyfin
+++ b/debian/conf/jellyfin
@@ -44,6 +44,8 @@ JELLYFIN_ADDITIONAL_OPTS=""
 #
 # SysV init/Upstart options
 #
+# Note: These options are ignored by systemd; use /etc/systemd/system/jellyfin.d overrides instead.
+#
 
 # Application username
 JELLYFIN_USER="jellyfin"