From 4d341609201ec17f619d0ca0e609981ca41112c1 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alex@millerson.name>
Date: Thu, 23 Jan 2025 12:10:49 +0300
Subject: [PATCH] net-im/teleirc: hardening service

---
 acct-group/teleirc/teleirc-0.ebuild |  8 -------
 acct-user/teleirc/teleirc-0.ebuild  | 11 ---------
 net-im/teleirc/teleirc-2.3.0.ebuild | 37 +++++++++++++++++++++++++----
 3 files changed, 33 insertions(+), 23 deletions(-)
 delete mode 100644 acct-group/teleirc/teleirc-0.ebuild
 delete mode 100644 acct-user/teleirc/teleirc-0.ebuild

diff --git a/acct-group/teleirc/teleirc-0.ebuild b/acct-group/teleirc/teleirc-0.ebuild
deleted file mode 100644
index 1f32da1..0000000
--- a/acct-group/teleirc/teleirc-0.ebuild
+++ /dev/null
@@ -1,8 +0,0 @@
-# Copyright 2023-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit acct-group
-
-ACCT_GROUP_ID=-1
diff --git a/acct-user/teleirc/teleirc-0.ebuild b/acct-user/teleirc/teleirc-0.ebuild
deleted file mode 100644
index 6267bdd..0000000
--- a/acct-user/teleirc/teleirc-0.ebuild
+++ /dev/null
@@ -1,11 +0,0 @@
-# Copyright 2023-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit acct-user
-
-ACCT_USER_ID=-1
-ACCT_USER_GROUPS=( ${PN} )
-
-acct-user_add_deps
diff --git a/net-im/teleirc/teleirc-2.3.0.ebuild b/net-im/teleirc/teleirc-2.3.0.ebuild
index acfda01..8e34057 100644
--- a/net-im/teleirc/teleirc-2.3.0.ebuild
+++ b/net-im/teleirc/teleirc-2.3.0.ebuild
@@ -15,18 +15,46 @@ SLOT="0"
 KEYWORDS="~amd64"
 
 DEPEND=""
-RDEPEND="${DEPEND}
-		acct-user/teleirc"
+RDEPEND="${DEPEND}"
 BDEPEND=""
 
 src_prepare() {
         local PATCHES=(
-                # meh, genpatches have no directory
                 "${FILESDIR}"/*.patch
         )
         default
 
-        sed -i "s@/usr/local/bin/@/usr/bin/@" deployments/systemd/teleirc@.service || die
+        sed -i -e "s@/usr/local/bin/@/usr/bin/@" \
+        -e "/^User=/Id" \
+        -e "/\[Service\]/a DynamicUser=true" \
+        -e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
+        -e "/\[Service\]/a AmbientCapabilities=" \
+        -e "/\[Service\]/a CapabilityBoundingSet=" \
+        -e "/\[Service\]/a RestrictNamespaces=yes" \
+        -e "/\[Service\]/a ProtectSystem=strict" \
+        -e "/\[Service\]/a ProtectHome=true" \
+        -e "/\[Service\]/a PrivateTmp=true" \
+        -e "/\[Service\]/a ProtectProc=invisible" \
+        -e "/\[Service\]/a ProcSubset=pid" \
+        -e "/\[Service\]/a ProtectKernelTunables=yes" \
+        -e "/\[Service\]/a ProtectKernelModules=true" \
+        -e "/\[Service\]/a ProtectControlGroups=true" \
+        -e "/\[Service\]/a ProtectHostname=true" \
+        -e "/\[Service\]/a ProtectKernelLogs=true" \
+        -e "/\[Service\]/a LockPersonality=yes" \
+        -e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
+        -e "/\[Service\]/a NoNewPrivileges=yes" \
+        -e "/\[Service\]/a RestrictSUIDSGID=yes" \
+        -e "/\[Service\]/a RestrictRealtime=yes" \
+        -e "/\[Service\]/a PrivateDevices=yes" \
+        -e "/\[Service\]/a PrivateUsers=yes" \
+        -e "/\[Service\]/a SystemCallArchitectures=native" \
+        -e "/\[Service\]/a ProtectClock=yes" \
+        -e "/\[Service\]/a UMask=7177" \
+        -e "/\[Service\]/a NoExecPaths=/" \
+        -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
+        deployments/systemd/teleirc@.service || die
+
 }
 
 src_compile() {
@@ -36,6 +64,7 @@ src_compile() {
 
 src_install() {
     systemd_dounit deployments/systemd/teleirc@.service
+    # systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf"
 
     insinto /etc/"${PN}"
     newins env.example example