millerson.name/gentoo-overlay
1
0
Fork 0
Code Issues Pull Requests Releases Activity

net-im/teleirc: hardening service

Browse Source
This commit is contained in:
Alexander Miroshnichenko
2025-02-11 18:35:16 +03:00
parent 4d34160920
commit 1877bcc2da
2 changed files with 67 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
net-im/teleirc/teleirc-2.3.0.ebuild
View File

@@ -24,35 +24,8 @@ src_prepare() {
)
default
sed -i -e "s@/usr/local/bin/@/usr/bin/@" \
-e "/^User=/Id" \
-e "/\[Service\]/a DynamicUser=true" \
-e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
-e "/\[Service\]/a AmbientCapabilities=" \
-e "/\[Service\]/a CapabilityBoundingSet=" \
-e "/\[Service\]/a RestrictNamespaces=yes" \
-e "/\[Service\]/a ProtectSystem=strict" \
-e "/\[Service\]/a ProtectHome=true" \
-e "/\[Service\]/a PrivateTmp=true" \
-e "/\[Service\]/a ProtectProc=invisible" \
-e "/\[Service\]/a ProcSubset=pid" \
-e "/\[Service\]/a ProtectKernelTunables=yes" \
-e "/\[Service\]/a ProtectKernelModules=true" \
-e "/\[Service\]/a ProtectControlGroups=true" \
-e "/\[Service\]/a ProtectHostname=true" \
-e "/\[Service\]/a ProtectKernelLogs=true" \
-e "/\[Service\]/a LockPersonality=yes" \
-e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
-e "/\[Service\]/a NoNewPrivileges=yes" \
-e "/\[Service\]/a RestrictSUIDSGID=yes" \
-e "/\[Service\]/a RestrictRealtime=yes" \
-e "/\[Service\]/a PrivateDevices=yes" \
-e "/\[Service\]/a PrivateUsers=yes" \
-e "/\[Service\]/a SystemCallArchitectures=native" \
-e "/\[Service\]/a ProtectClock=yes" \
-e "/\[Service\]/a UMask=7177" \
-e "/\[Service\]/a NoExecPaths=/" \
-e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
sed -i -e "/\[Service\]/a NoExecPaths=/" \
-e "/\[Service\]/a ExecPaths=/usr/bin/teleirc ${prefix}/$(get_libdir)" \
deployments/systemd/teleirc@.service || die
}
@@ -64,7 +37,7 @@ src_compile() {
src_install() {
systemd_dounit deployments/systemd/teleirc@.service
# systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf"
newtmpfiles deployments/systemd/teleirc.tmpfiles teleirc.conf
insinto /etc/"${PN}"
newins env.example example