From 26bf2b05a570be8af22db2585e3c4292fe1d4012 Mon Sep 17 00:00:00 2001
From: Michael Prokop <mprokop@sipwise.com>
Date: Mon, 27 Jun 2022 15:46:49 +0200
Subject: [PATCH] TT#182450 systemd hardening: allow R/W access to
 /var/spool/rtpengine

By default we use /var/spool/rtpengine as recording directory,
so ensure we have R/W access to it.

Change-Id: I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
---
 debian/ngcp-rtpengine-daemon.service | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/ngcp-rtpengine-daemon.service b/debian/ngcp-rtpengine-daemon.service
index 9e84c5a75..99fc639ea 100644
--- a/debian/ngcp-rtpengine-daemon.service
+++ b/debian/ngcp-rtpengine-daemon.service
@@ -43,6 +43,9 @@ ProtectKernelTunables=true
 # Service has strict read-only access to the OS file hierarchy
 ProtectSystem=strict
 
+# Allow write access
+ReadWritePaths=/var/spool/rtpengine
+
 # Access to the kernel log ring buffer will be denied
 ProtectKernelLogs=true