There are systemd unit files for syncany
/etc/linux-systemd/user/syncthing.service
/etc/linux-systemd/system/syncthing%40.service
And it is good to see they even ship with some basic hardening:
ProtectSystem=full
PrivateTmp=true
I think it would make sense to add some more. For example ProtectSystem=full
does make /etc
readonly, but you can still read /etc/shadow
or /etc/passwd
depending on which user is running syncany.
I would suggest adding following. (- sign means it can be ignored if directory does not exist on filesystem)
ProtectKernelModules=true
ProtectKernelTunables=true
InaccessiblePaths=-/etc -/boot -/var -/dev -/media -/mnt -/root -/srv
ReadOnlyPaths=-/bin -/sbin -/usr -/lib -/lib64 -/opt
This list might be rather strict and might need some tweaking, but i think it is worth the shot.
Perhaps it might even make sense to use whitelisting rather than blacklisting, eg.:
InaccessiblePaths=/
ReadOnlyPaths=/home/
ReadWritePaths=-/home/sync
NoExecPaths=/
ExecPaths=/usr/bin/syncthing /usr/lib /usr/lib64