Such patches should be submitted upstream to the original developer (when they are open to having a systemd unit file or at least already have a systemd unit file), as well as submitted upstream to Debian. This is very important to:
- offload maintenance work in the long run,
- inspire them to play around adding more systemd sandboxing (they understand their software better than we do),
- and to have them run into bugs first in case their software changes so we don’t run into these bugs on (distribution) upgrades.
Additionally we could add to security-misc, so how that goes (if too many issues, a separate package) but only after above is done as a stopgap until upstream flows down to Whonix.
You could start with Whonix’s own (network facing priority) systemd unit files, which of course can be quickly merged in Whonix itself.
Related Whonix tickets:
- ⚓ T631 re-enable tor-controlport-filter.service systemd hardening
- ⚓ T362 systemd SystemCallFilter= containment option seccomp hardening
Related: