gentoo-overlay/net-im/teleirc/files/0099-hardening-service.patch

From 4d747ec9f76b56fd446d09a97dc6bbf110566727 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alex@millerson.name>
Date: Tue, 11 Feb 2025 18:21:54 +0300
Subject: [PATCH] hardening service
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
 deployments/systemd/teleirc.sysusers |  1 -
 deployments/systemd/teleirc@.service | 28 ++++++++++++++++++++++++++--
 2 files changed, 26 insertions(+), 3 deletions(-)
 delete mode 100644 deployments/systemd/teleirc.sysusers

diff --git a/deployments/systemd/teleirc.sysusers b/deployments/systemd/teleirc.sysusers
deleted file mode 100644
index f25c7d1d4088..000000000000
--- a/deployments/systemd/teleirc.sysusers
+++ /dev/null
@@ -1 +0,0 @@
-u teleirc - "TeleIRC Service"
diff --git a/deployments/systemd/teleirc@.service b/deployments/systemd/teleirc@.service
index 17bb19a50001..36acacac7f28 100644
--- a/deployments/systemd/teleirc@.service
+++ b/deployments/systemd/teleirc@.service
@@ -4,9 +4,33 @@ Requires=network.target
 After=multi-user.target
 
 [Service]
+DynamicUser=true
+LoadCredential=%i:/etc/teleirc/%i
+AmbientCapabilities=
+CapabilityBoundingSet=
+RestrictNamespaces=yes
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectKernelTunables=yes
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+PrivateDevices=yes
+PrivateUsers=yes
+SystemCallArchitectures=native
+ProtectClock=yes
+UMask=7177
 Type=simple
-User=teleirc
-ExecStart=/usr/local/bin/teleirc -conf /etc/teleirc/%i
+ExecStart=/usr/bin/teleirc -conf %d/%i
 Restart=always
 RestartSec=60
 
-- 
2.41.0
net-im/teleirc: hardening service 2025-02-11 18:35:16 +03:00			`From 4d747ec9f76b56fd446d09a97dc6bbf110566727 Mon Sep 17 00:00:00 2001`
			`From: Alexander Miroshnichenko <alex@millerson.name>`
			`Date: Tue, 11 Feb 2025 18:21:54 +0300`
			`Subject: [PATCH] hardening service`
			`Content-Type: text/plain; charset="utf-8"`
			`Content-Transfer-Encoding: 8bit`

			`Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>`
			`---`
			`deployments/systemd/teleirc.sysusers \| 1 -`
			`deployments/systemd/teleirc@.service \| 28 ++++++++++++++++++++++++++--`
			`2 files changed, 26 insertions(+), 3 deletions(-)`
			`delete mode 100644 deployments/systemd/teleirc.sysusers`

			`diff --git a/deployments/systemd/teleirc.sysusers b/deployments/systemd/teleirc.sysusers`
			`deleted file mode 100644`
			`index f25c7d1d4088..000000000000`
			`--- a/deployments/systemd/teleirc.sysusers`
			`+++ /dev/null`
			`@@ -1 +0,0 @@`
			`-u teleirc - "TeleIRC Service"`
			`diff --git a/deployments/systemd/teleirc@.service b/deployments/systemd/teleirc@.service`
			`index 17bb19a50001..36acacac7f28 100644`
			`--- a/deployments/systemd/teleirc@.service`
			`+++ b/deployments/systemd/teleirc@.service`
			`@@ -4,9 +4,33 @@ Requires=network.target`
			`After=multi-user.target`

			`[Service]`
			`+DynamicUser=true`
			`+LoadCredential=%i:/etc/teleirc/%i`
			`+AmbientCapabilities=`
			`+CapabilityBoundingSet=`
			`+RestrictNamespaces=yes`
			`+ProtectSystem=strict`
			`+ProtectHome=true`
			`+PrivateTmp=true`
			`+ProtectProc=invisible`
			`+ProcSubset=pid`
			`+ProtectKernelTunables=yes`
			`+ProtectKernelModules=true`
			`+ProtectControlGroups=true`
			`+ProtectHostname=true`
			`+ProtectKernelLogs=true`
			`+LockPersonality=yes`
			`+MemoryDenyWriteExecute=yes`
			`+NoNewPrivileges=yes`
			`+RestrictSUIDSGID=yes`
			`+RestrictRealtime=yes`
			`+PrivateDevices=yes`
			`+PrivateUsers=yes`
			`+SystemCallArchitectures=native`
			`+ProtectClock=yes`
			`+UMask=7177`
			`Type=simple`
			`-User=teleirc`
			`-ExecStart=/usr/local/bin/teleirc -conf /etc/teleirc/%i`
			`+ExecStart=/usr/bin/teleirc -conf %d/%i`
			`Restart=always`
			`RestartSec=60`

			`--`
			`2.41.0`