From 7e4f08c0333e4fe4b2413609e493817568725c85 Mon Sep 17 00:00:00 2001
From: Stefan Tatschner <rumpelsepp@sevenbyte.org>
Date: Sat, 10 Oct 2015 14:56:47 +0200
Subject: [PATCH] Jail the whole thing a bit more

Add WorkingDirectory to create and use the certificates within
/var/lib/syncthing-relaysrv. Add RootDirectory to chroot(2) the whole
thing into that directory.
---
 cmd/relaysrv/etc/linux-systemd/syncthing-relaysrv.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmd/relaysrv/etc/linux-systemd/syncthing-relaysrv.service b/cmd/relaysrv/etc/linux-systemd/syncthing-relaysrv.service
index 93852893d..5dc3eee09 100644
--- a/cmd/relaysrv/etc/linux-systemd/syncthing-relaysrv.service
+++ b/cmd/relaysrv/etc/linux-systemd/syncthing-relaysrv.service
@@ -6,6 +6,8 @@ After=network.target
 User=syncthing-relaysrv
 Group=syncthing-relaysrv
 ExecStart=/usr/bin/syncthing-relaysrv
+WorkingDirectory=/var/lib/syncthing-relaysrv
+RootDirectory=/var/lib/syncthing-relaysrv
 
 PrivateTmp=true
 ProtectSystem=full