From 1877bcc2da844d098aeaea91f225a339ef7c9cbe Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alex@millerson.name>
Date: Tue, 11 Feb 2025 18:35:16 +0300
Subject: [PATCH] net-im/teleirc: hardening service

---
 .../files/0099-hardening-service.patch        | 64 +++++++++++++++++++
 net-im/teleirc/teleirc-2.3.0.ebuild           | 33 +---------
 2 files changed, 67 insertions(+), 30 deletions(-)
 create mode 100644 net-im/teleirc/files/0099-hardening-service.patch

diff --git a/net-im/teleirc/files/0099-hardening-service.patch b/net-im/teleirc/files/0099-hardening-service.patch
new file mode 100644
index 0000000..212b988
--- /dev/null
+++ b/net-im/teleirc/files/0099-hardening-service.patch
@@ -0,0 +1,64 @@
+From 4d747ec9f76b56fd446d09a97dc6bbf110566727 Mon Sep 17 00:00:00 2001
+From: Alexander Miroshnichenko <alex@millerson.name>
+Date: Tue, 11 Feb 2025 18:21:54 +0300
+Subject: [PATCH] hardening service
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
+---
+ deployments/systemd/teleirc.sysusers |  1 -
+ deployments/systemd/teleirc@.service | 28 ++++++++++++++++++++++++++--
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+ delete mode 100644 deployments/systemd/teleirc.sysusers
+
+diff --git a/deployments/systemd/teleirc.sysusers b/deployments/systemd/teleirc.sysusers
+deleted file mode 100644
+index f25c7d1d4088..000000000000
+--- a/deployments/systemd/teleirc.sysusers
++++ /dev/null
+@@ -1 +0,0 @@
+-u teleirc - "TeleIRC Service"
+diff --git a/deployments/systemd/teleirc@.service b/deployments/systemd/teleirc@.service
+index 17bb19a50001..36acacac7f28 100644
+--- a/deployments/systemd/teleirc@.service
++++ b/deployments/systemd/teleirc@.service
+@@ -4,9 +4,33 @@ Requires=network.target
+ After=multi-user.target
+ 
+ [Service]
++DynamicUser=true
++LoadCredential=%i:/etc/teleirc/%i
++AmbientCapabilities=
++CapabilityBoundingSet=
++RestrictNamespaces=yes
++ProtectSystem=strict
++ProtectHome=true
++PrivateTmp=true
++ProtectProc=invisible
++ProcSubset=pid
++ProtectKernelTunables=yes
++ProtectKernelModules=true
++ProtectControlGroups=true
++ProtectHostname=true
++ProtectKernelLogs=true
++LockPersonality=yes
++MemoryDenyWriteExecute=yes
++NoNewPrivileges=yes
++RestrictSUIDSGID=yes
++RestrictRealtime=yes
++PrivateDevices=yes
++PrivateUsers=yes
++SystemCallArchitectures=native
++ProtectClock=yes
++UMask=7177
+ Type=simple
+-User=teleirc
+-ExecStart=/usr/local/bin/teleirc -conf /etc/teleirc/%i
++ExecStart=/usr/bin/teleirc -conf %d/%i
+ Restart=always
+ RestartSec=60
+ 
+-- 
+2.41.0
+
diff --git a/net-im/teleirc/teleirc-2.3.0.ebuild b/net-im/teleirc/teleirc-2.3.0.ebuild
index 8e34057..d433285 100644
--- a/net-im/teleirc/teleirc-2.3.0.ebuild
+++ b/net-im/teleirc/teleirc-2.3.0.ebuild
@@ -24,35 +24,8 @@ src_prepare() {
         )
         default
 
-        sed -i -e "s@/usr/local/bin/@/usr/bin/@" \
-        -e "/^User=/Id" \
-        -e "/\[Service\]/a DynamicUser=true" \
-        -e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
-        -e "/\[Service\]/a AmbientCapabilities=" \
-        -e "/\[Service\]/a CapabilityBoundingSet=" \
-        -e "/\[Service\]/a RestrictNamespaces=yes" \
-        -e "/\[Service\]/a ProtectSystem=strict" \
-        -e "/\[Service\]/a ProtectHome=true" \
-        -e "/\[Service\]/a PrivateTmp=true" \
-        -e "/\[Service\]/a ProtectProc=invisible" \
-        -e "/\[Service\]/a ProcSubset=pid" \
-        -e "/\[Service\]/a ProtectKernelTunables=yes" \
-        -e "/\[Service\]/a ProtectKernelModules=true" \
-        -e "/\[Service\]/a ProtectControlGroups=true" \
-        -e "/\[Service\]/a ProtectHostname=true" \
-        -e "/\[Service\]/a ProtectKernelLogs=true" \
-        -e "/\[Service\]/a LockPersonality=yes" \
-        -e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
-        -e "/\[Service\]/a NoNewPrivileges=yes" \
-        -e "/\[Service\]/a RestrictSUIDSGID=yes" \
-        -e "/\[Service\]/a RestrictRealtime=yes" \
-        -e "/\[Service\]/a PrivateDevices=yes" \
-        -e "/\[Service\]/a PrivateUsers=yes" \
-        -e "/\[Service\]/a SystemCallArchitectures=native" \
-        -e "/\[Service\]/a ProtectClock=yes" \
-        -e "/\[Service\]/a UMask=7177" \
-        -e "/\[Service\]/a NoExecPaths=/" \
-        -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
+        sed -i -e "/\[Service\]/a NoExecPaths=/" \
+        -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc ${prefix}/$(get_libdir)" \
         deployments/systemd/teleirc@.service || die
 
 }
@@ -64,7 +37,7 @@ src_compile() {
 
 src_install() {
     systemd_dounit deployments/systemd/teleirc@.service
-    # systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf"
+    newtmpfiles deployments/systemd/teleirc.tmpfiles teleirc.conf
 
     insinto /etc/"${PN}"
     newins env.example example