net-im/teleirc: hardening service

acct-group/teleirc/teleirc-0.ebuild

@@ -1,8 +0,0 @@
-# Copyright 2023-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit acct-group
-
-ACCT_GROUP_ID=-1

acct-user/teleirc/teleirc-0.ebuild

@@ -1,11 +0,0 @@
-# Copyright 2023-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit acct-user
-
-ACCT_USER_ID=-1
-ACCT_USER_GROUPS=( ${PN} )
-
-acct-user_add_deps

net-im/teleirc/teleirc-2.3.0.ebuild

@@ -15,18 +15,46 @@ SLOT="0"
 KEYWORDS="~amd64"
 
 DEPEND=""
-RDEPEND="${DEPEND}
+RDEPEND="${DEPEND}"
-		acct-user/teleirc"
 BDEPEND=""
 
 src_prepare() {
         local PATCHES=(
-                # meh, genpatches have no directory
                 "${FILESDIR}"/*.patch
         )
         default
 
-        sed -i "s@/usr/local/bin/@/usr/bin/@" deployments/systemd/teleirc@.service || die
+        sed -i -e "s@/usr/local/bin/@/usr/bin/@" \
+        -e "/^User=/Id" \
+        -e "/\[Service\]/a DynamicUser=true" \
+        -e "/\[Service\]/a LoadCredential=%i:/etc/teleirc/%i" \
+        -e "/\[Service\]/a AmbientCapabilities=" \
+        -e "/\[Service\]/a CapabilityBoundingSet=" \
+        -e "/\[Service\]/a RestrictNamespaces=yes" \
+        -e "/\[Service\]/a ProtectSystem=strict" \
+        -e "/\[Service\]/a ProtectHome=true" \
+        -e "/\[Service\]/a PrivateTmp=true" \
+        -e "/\[Service\]/a ProtectProc=invisible" \
+        -e "/\[Service\]/a ProcSubset=pid" \
+        -e "/\[Service\]/a ProtectKernelTunables=yes" \
+        -e "/\[Service\]/a ProtectKernelModules=true" \
+        -e "/\[Service\]/a ProtectControlGroups=true" \
+        -e "/\[Service\]/a ProtectHostname=true" \
+        -e "/\[Service\]/a ProtectKernelLogs=true" \
+        -e "/\[Service\]/a LockPersonality=yes" \
+        -e "/\[Service\]/a MemoryDenyWriteExecute=yes" \
+        -e "/\[Service\]/a NoNewPrivileges=yes" \
+        -e "/\[Service\]/a RestrictSUIDSGID=yes" \
+        -e "/\[Service\]/a RestrictRealtime=yes" \
+        -e "/\[Service\]/a PrivateDevices=yes" \
+        -e "/\[Service\]/a PrivateUsers=yes" \
+        -e "/\[Service\]/a SystemCallArchitectures=native" \
+        -e "/\[Service\]/a ProtectClock=yes" \
+        -e "/\[Service\]/a UMask=7177" \
+        -e "/\[Service\]/a NoExecPaths=/" \
+        -e "/\[Service\]/a ExecPaths=/usr/bin/teleirc $(prefix)/$(get_libdir)" \
+        deployments/systemd/teleirc@.service || die
+
 }
 
 src_compile() {
@@ -36,6 +64,7 @@ src_compile() {
 
 src_install() {
     systemd_dounit deployments/systemd/teleirc@.service
+    # systemd_install_dropin foo.service "${FILESDIR}/foo.service.conf"
 
     insinto /etc/"${PN}"
     newins env.example example