net-im/teleirc: hardening service

2025-01-23 12:10:49 +03:00 · 2025-01-23 12:10:49 +03:00 · 4d34160920
commit 4d34160920
parent a7b02e0b4e
3 changed files with 33 additions and 23 deletions
--- a/acct-group/teleirc/teleirc-0.ebuild
+++ b/acct-group/teleirc/teleirc-0.ebuild
@ -1,8 +0,0 @@
-# Copyright 2023-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit acct-group
-
-ACCT_GROUP_ID=-1
--- a/acct-user/teleirc/teleirc-0.ebuild
+++ b/acct-user/teleirc/teleirc-0.ebuild
@ -1,11 +0,0 @@
-# Copyright 2023-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit acct-user
-
-ACCT_USER_ID=-1
-ACCT_USER_GROUPS=( ${PN} )
-
-acct-user_add_deps
--- a/net-im/teleirc/teleirc-2.3.0.ebuild
+++ b/net-im/teleirc/teleirc-2.3.0.ebuild
@ -15,18 +15,46 @@ SLOT="0"
 KEYWORDS="~amd64"

 DEPEND=""
-RDEPEND="${DEPEND}
-		acct-user/teleirc"
+RDEPEND="${DEPEND}"
 BDEPEND=""

 src_prepare() {
        local PATCHES=(
-                # meh, genpatches have no directory
                "${FILESDIR}"/*.patch
        )
        default

-        sed -i "s@/usr/local/bin/@/usr/bin/@" deployments/systemd/teleirc@.service || die
+        sed -i -e "s@/usr/local/bin/@/usr/bin/@" \
+        -e "/^User=/Id" \
+        -e "/\[Service\]/a DynamicUser=true" \
+        -e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
+        -e "/\[Service\]/a AmbientCapabilities=" \
+        -e "/\[Service\]/a CapabilityBoundingSet=" \
+        -e "/\[Service\]/a RestrictNamespaces=yes" \
+        -e "/\[Service\]/a ProtectSystem=strict" \
+        -e "/\[Service\]/a ProtectHome=true" \
+        -e "/\[Service\]/a PrivateTmp=true" \
+        -e "/\[Service\]/a ProtectProc=invisible" \
+        -e "/\[Service\]/a ProcSubset=pid" \
+        -e "/\[Service\]/a ProtectKernelTunables=yes" \
+        -e "/\[Service\]/a ProtectKernelModules=true" \
+        -e "/\[Service\]/a ProtectControlGroups=true" \
+        -e "/\[Service\]/a ProtectHostname=true" \
+        -e "/\[Service\]/a ProtectKernelLogs=true" \
+        -e "/\[Service\]/a LockPersonality=yes" \
+        -e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
+        -e "/\[Service\]/a NoNewPrivileges=yes" \
+        -e "/\[Service\]/a RestrictSUIDSGID=yes" \
+        -e "/\[Service\]/a RestrictRealtime=yes" \
+        -e "/\[Service\]/a PrivateDevices=yes" \
+        -e "/\[Service\]/a PrivateUsers=yes" \
+        -e "/\[Service\]/a SystemCallArchitectures=native" \
+        -e "/\[Service\]/a ProtectClock=yes" \
+        -e "/\[Service\]/a UMask=7177" \
+        -e "/\[Service\]/a NoExecPaths=/" \
+        -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
+        deployments/systemd/teleirc@.service || die
+
 }

 src_compile() {
@ -36,6 +64,7 @@ src_compile() {

 src_install() {
    systemd_dounit deployments/systemd/teleirc@.service
+    # systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf"

    insinto /etc/"${PN}"
    newins env.example example