Merge pull request 'net-im/teleirc: hardening service' (#5) from teleirc into master

Reviewed-on: #5
2025-02-11 18:39:04 +03:00 · 2025-02-11 18:39:04 +03:00 · 37df1d6d68
commit 37df1d6d68
parent b93b20592e 1877bcc2da
2 changed files with 67 additions and 30 deletions
--- a/net-im/teleirc/files/0099-hardening-service.patch
+++ b/net-im/teleirc/files/0099-hardening-service.patch
@ -0,0 +1,64 @@
+From 4d747ec9f76b56fd446d09a97dc6bbf110566727 Mon Sep 17 00:00:00 2001
+From: Alexander Miroshnichenko <alex@millerson.name>
+Date: Tue, 11 Feb 2025 18:21:54 +0300
+Subject: [PATCH] hardening service
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
+---
+ deployments/systemd/teleirc.sysusers |  1 -
+ deployments/systemd/teleirc@.service | 28 ++++++++++++++++++++++++++--
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+ delete mode 100644 deployments/systemd/teleirc.sysusers
+
+diff --git a/deployments/systemd/teleirc.sysusers b/deployments/systemd/teleirc.sysusers
+deleted file mode 100644
+index f25c7d1d4088..000000000000
+--- a/deployments/systemd/teleirc.sysusers
+++ /dev/null
+@@ -1 +0,0 @@
+-u teleirc - "TeleIRC Service"
+diff --git a/deployments/systemd/teleirc@.service b/deployments/systemd/teleirc@.service
+index 17bb19a50001..36acacac7f28 100644
+--- a/deployments/systemd/teleirc@.service
+++ b/deployments/systemd/teleirc@.service
+@@ -4,9 +4,33 @@ Requires=network.target
+ After=multi-user.target
+ 
+ [Service]
+DynamicUser=true
+LoadCredential=%i:/etc/teleirc/%i
+AmbientCapabilities=
+CapabilityBoundingSet=
+RestrictNamespaces=yes
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectKernelTunables=yes
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+PrivateDevices=yes
+PrivateUsers=yes
+SystemCallArchitectures=native
+ProtectClock=yes
+UMask=7177
+ Type=simple
+-User=teleirc
+-ExecStart=/usr/local/bin/teleirc -conf /etc/teleirc/%i
+ExecStart=/usr/bin/teleirc -conf %d/%i
+ Restart=always
+ RestartSec=60
+ 
+-- 
+2.41.0
+
--- a/net-im/teleirc/teleirc-2.3.0.ebuild
+++ b/net-im/teleirc/teleirc-2.3.0.ebuild
@ -24,35 +24,8 @@ src_prepare() {
        )
        default

-        sed -i -e "s@/usr/local/bin/@/usr/bin/@" \
-        -e "/^User=/Id" \
-        -e "/\[Service\]/a DynamicUser=true" \
-        -e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
-        -e "/\[Service\]/a AmbientCapabilities=" \
-        -e "/\[Service\]/a CapabilityBoundingSet=" \
-        -e "/\[Service\]/a RestrictNamespaces=yes" \
-        -e "/\[Service\]/a ProtectSystem=strict" \
-        -e "/\[Service\]/a ProtectHome=true" \
-        -e "/\[Service\]/a PrivateTmp=true" \
-        -e "/\[Service\]/a ProtectProc=invisible" \
-        -e "/\[Service\]/a ProcSubset=pid" \
-        -e "/\[Service\]/a ProtectKernelTunables=yes" \
-        -e "/\[Service\]/a ProtectKernelModules=true" \
-        -e "/\[Service\]/a ProtectControlGroups=true" \
-        -e "/\[Service\]/a ProtectHostname=true" \
-        -e "/\[Service\]/a ProtectKernelLogs=true" \
-        -e "/\[Service\]/a LockPersonality=yes" \
-        -e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
-        -e "/\[Service\]/a NoNewPrivileges=yes" \
-        -e "/\[Service\]/a RestrictSUIDSGID=yes" \
-        -e "/\[Service\]/a RestrictRealtime=yes" \
-        -e "/\[Service\]/a PrivateDevices=yes" \
-        -e "/\[Service\]/a PrivateUsers=yes" \
-        -e "/\[Service\]/a SystemCallArchitectures=native" \
-        -e "/\[Service\]/a ProtectClock=yes" \
-        -e "/\[Service\]/a UMask=7177" \
-        -e "/\[Service\]/a NoExecPaths=/" \
-        -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
+        sed -i -e "/\[Service\]/a NoExecPaths=/" \
+        -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc ${prefix}/$(get_libdir)" \
        deployments/systemd/teleirc@.service || die

 }
@ -64,7 +37,7 @@ src_compile() {

 src_install() {
    systemd_dounit deployments/systemd/teleirc@.service
-    # systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf"
+    newtmpfiles deployments/systemd/teleirc.tmpfiles teleirc.conf

    insinto /etc/"${PN}"
    newins env.example example