millerson.name/gentoo-overlay
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge pull request 'net-im/teleirc: hardening service' (#5) from teleirc into master

Browse Source 
Reviewed-on: #5
This commit is contained in:
Alexander Miroshnichenko 2025-02-11 18:39:04 +03:00
commit 37df1d6d68
2 changed files with 67 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
net-im/teleirc/files/0099-hardening-service.patch Normal file
View File

@ -0,0 +1,64 @@
From 4d747ec9f76b56fd446d09a97dc6bbf110566727 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alex@millerson.name>
Date: Tue, 11 Feb 2025 18:21:54 +0300
Subject: [PATCH] hardening service
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
deployments/systemd/teleirc.sysusers | 1 -
deployments/systemd/teleirc@.service | 28 ++++++++++++++++++++++++++--
2 files changed, 26 insertions(+), 3 deletions(-)
delete mode 100644 deployments/systemd/teleirc.sysusers
diff --git a/deployments/systemd/teleirc.sysusers b/deployments/systemd/teleirc.sysusers
deleted file mode 100644
index f25c7d1d4088..000000000000
--- a/deployments/systemd/teleirc.sysusers
+++ /dev/null
@@ -1 +0,0 @@
-u teleirc - "TeleIRC Service"
diff --git a/deployments/systemd/teleirc@.service b/deployments/systemd/teleirc@.service
index 17bb19a50001..36acacac7f28 100644
--- a/deployments/systemd/teleirc@.service
+++ b/deployments/systemd/teleirc@.service
@@ -4,9 +4,33 @@ Requires=network.target
After=multi-user.target
[Service]
+DynamicUser=true
+LoadCredential=%i:/etc/teleirc/%i
+AmbientCapabilities=
+CapabilityBoundingSet=
+RestrictNamespaces=yes
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectKernelTunables=yes
+ProtectKernelModules=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+PrivateDevices=yes
+PrivateUsers=yes
+SystemCallArchitectures=native
+ProtectClock=yes
+UMask=7177
Type=simple
-User=teleirc
-ExecStart=/usr/local/bin/teleirc -conf /etc/teleirc/%i
+ExecStart=/usr/bin/teleirc -conf %d/%i
Restart=always
RestartSec=60
--
2.41.0

33
net-im/teleirc/teleirc-2.3.0.ebuild
View File

@ -24,35 +24,8 @@ src_prepare() {
) )
default default
sed -i -e "s@/usr/local/bin/@/usr/bin/@" \ sed -i -e "/\[Service\]/a NoExecPaths=/" \
-e "/^User=/Id" \ -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc ${prefix}/$(get_libdir)" \
-e "/\[Service\]/a DynamicUser=true" \
-e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
-e "/\[Service\]/a AmbientCapabilities=" \
-e "/\[Service\]/a CapabilityBoundingSet=" \
-e "/\[Service\]/a RestrictNamespaces=yes" \
-e "/\[Service\]/a ProtectSystem=strict" \
-e "/\[Service\]/a ProtectHome=true" \
-e "/\[Service\]/a PrivateTmp=true" \
-e "/\[Service\]/a ProtectProc=invisible" \
-e "/\[Service\]/a ProcSubset=pid" \
-e "/\[Service\]/a ProtectKernelTunables=yes" \
-e "/\[Service\]/a ProtectKernelModules=true" \
-e "/\[Service\]/a ProtectControlGroups=true" \
-e "/\[Service\]/a ProtectHostname=true" \
-e "/\[Service\]/a ProtectKernelLogs=true" \
-e "/\[Service\]/a LockPersonality=yes" \
-e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
-e "/\[Service\]/a NoNewPrivileges=yes" \
-e "/\[Service\]/a RestrictSUIDSGID=yes" \
-e "/\[Service\]/a RestrictRealtime=yes" \
-e "/\[Service\]/a PrivateDevices=yes" \
-e "/\[Service\]/a PrivateUsers=yes" \
-e "/\[Service\]/a SystemCallArchitectures=native" \
-e "/\[Service\]/a ProtectClock=yes" \
-e "/\[Service\]/a UMask=7177" \
-e "/\[Service\]/a NoExecPaths=/" \
-e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
deployments/systemd/teleirc@.service || die deployments/systemd/teleirc@.service || die
} }
@ -64,7 +37,7 @@ src_compile() {
src_install() { src_install() {
systemd_dounit deployments/systemd/teleirc@.service systemd_dounit deployments/systemd/teleirc@.service
# systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf" newtmpfiles deployments/systemd/teleirc.tmpfiles teleirc.conf
insinto /etc/"${PN}" insinto /etc/"${PN}"
newins env.example example newins env.example example