net-im/teleirc: hardening service
This commit is contained in:
parent
4d34160920
commit
1877bcc2da
GPG Key ID:
E93720C6C73A77F4
64
net-im/teleirc/files/0099-hardening-service.patch
Normal file
64
net-im/teleirc/files/0099-hardening-service.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 4d747ec9f76b56fd446d09a97dc6bbf110566727 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Miroshnichenko <alex@millerson.name>
|
||||
Date: Tue, 11 Feb 2025 18:21:54 +0300
|
||||
Subject: [PATCH] hardening service
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
|
||||
---
|
||||
deployments/systemd/teleirc.sysusers | 1 -
|
||||
deployments/systemd/teleirc@.service | 28 ++++++++++++++++++++++++++--
|
||||
2 files changed, 26 insertions(+), 3 deletions(-)
|
||||
delete mode 100644 deployments/systemd/teleirc.sysusers
|
||||
|
||||
diff --git a/deployments/systemd/teleirc.sysusers b/deployments/systemd/teleirc.sysusers
|
||||
deleted file mode 100644
|
||||
index f25c7d1d4088..000000000000
|
||||
--- a/deployments/systemd/teleirc.sysusers
|
||||
+++ /dev/null
|
||||
@@ -1 +0,0 @@
|
||||
-u teleirc - "TeleIRC Service"
|
||||
diff --git a/deployments/systemd/teleirc@.service b/deployments/systemd/teleirc@.service
|
||||
index 17bb19a50001..36acacac7f28 100644
|
||||
--- a/deployments/systemd/teleirc@.service
|
||||
+++ b/deployments/systemd/teleirc@.service
|
||||
@@ -4,9 +4,33 @@ Requires=network.target
|
||||
After=multi-user.target
|
||||
|
||||
[Service]
|
||||
+DynamicUser=true
|
||||
+LoadCredential=%i:/etc/teleirc/%i
|
||||
+AmbientCapabilities=
|
||||
+CapabilityBoundingSet=
|
||||
+RestrictNamespaces=yes
|
||||
+ProtectSystem=strict
|
||||
+ProtectHome=true
|
||||
+PrivateTmp=true
|
||||
+ProtectProc=invisible
|
||||
+ProcSubset=pid
|
||||
+ProtectKernelTunables=yes
|
||||
+ProtectKernelModules=true
|
||||
+ProtectControlGroups=true
|
||||
+ProtectHostname=true
|
||||
+ProtectKernelLogs=true
|
||||
+LockPersonality=yes
|
||||
+MemoryDenyWriteExecute=yes
|
||||
+NoNewPrivileges=yes
|
||||
+RestrictSUIDSGID=yes
|
||||
+RestrictRealtime=yes
|
||||
+PrivateDevices=yes
|
||||
+PrivateUsers=yes
|
||||
+SystemCallArchitectures=native
|
||||
+ProtectClock=yes
|
||||
+UMask=7177
|
||||
Type=simple
|
||||
-User=teleirc
|
||||
-ExecStart=/usr/local/bin/teleirc -conf /etc/teleirc/%i
|
||||
+ExecStart=/usr/bin/teleirc -conf %d/%i
|
||||
Restart=always
|
||||
RestartSec=60
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -24,35 +24,8 @@ src_prepare() {
|
||||
)
|
||||
default
|
||||
|
||||
sed -i -e "s@/usr/local/bin/@/usr/bin/@" \
|
||||
-e "/^User=/Id" \
|
||||
-e "/\[Service\]/a DynamicUser=true" \
|
||||
-e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
|
||||
-e "/\[Service\]/a AmbientCapabilities=" \
|
||||
-e "/\[Service\]/a CapabilityBoundingSet=" \
|
||||
-e "/\[Service\]/a RestrictNamespaces=yes" \
|
||||
-e "/\[Service\]/a ProtectSystem=strict" \
|
||||
-e "/\[Service\]/a ProtectHome=true" \
|
||||
-e "/\[Service\]/a PrivateTmp=true" \
|
||||
-e "/\[Service\]/a ProtectProc=invisible" \
|
||||
-e "/\[Service\]/a ProcSubset=pid" \
|
||||
-e "/\[Service\]/a ProtectKernelTunables=yes" \
|
||||
-e "/\[Service\]/a ProtectKernelModules=true" \
|
||||
-e "/\[Service\]/a ProtectControlGroups=true" \
|
||||
-e "/\[Service\]/a ProtectHostname=true" \
|
||||
-e "/\[Service\]/a ProtectKernelLogs=true" \
|
||||
-e "/\[Service\]/a LockPersonality=yes" \
|
||||
-e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
|
||||
-e "/\[Service\]/a NoNewPrivileges=yes" \
|
||||
-e "/\[Service\]/a RestrictSUIDSGID=yes" \
|
||||
-e "/\[Service\]/a RestrictRealtime=yes" \
|
||||
-e "/\[Service\]/a PrivateDevices=yes" \
|
||||
-e "/\[Service\]/a PrivateUsers=yes" \
|
||||
-e "/\[Service\]/a SystemCallArchitectures=native" \
|
||||
-e "/\[Service\]/a ProtectClock=yes" \
|
||||
-e "/\[Service\]/a UMask=7177" \
|
||||
-e "/\[Service\]/a NoExecPaths=/" \
|
||||
-e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
|
||||
sed -i -e "/\[Service\]/a NoExecPaths=/" \
|
||||
-e "/\[Service\]/a ExecPaths=/usr/bin/teleirc ${prefix}/$(get_libdir)" \
|
||||
deployments/systemd/teleirc@.service || die
|
||||
|
||||
}
|
||||
@ -64,7 +37,7 @@ src_compile() {
|
||||
|
||||
src_install() {
|
||||
systemd_dounit deployments/systemd/teleirc@.service
|
||||
# systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf"
|
||||
newtmpfiles deployments/systemd/teleirc.tmpfiles teleirc.conf
|
||||
|
||||
insinto /etc/"${PN}"
|
||||
newins env.example example
|
||||
|
||||
Loading…
Reference in New Issue
Block a user