net-proxy/youtubeUnblock: hardening service

2025-01-22 19:22:02 +03:00 · 2025-01-22 19:22:02 +03:00 · 5e7dfe235f
commit 5e7dfe235f
parent b85c9c5a11
1 changed files with 13 additions and 1 deletions
--- a/net-proxy/youtubeUnblock/youtubeUnblock-1.0.0_rc5.ebuild
+++ b/net-proxy/youtubeUnblock/youtubeUnblock-1.0.0_rc5.ebuild
@ -6,7 +6,7 @@ EAPI=8
 MY_P=${P/_/-}
 MODULES_OPTIONAL_IUSE="+modules"
-inherit linux-mod-r1
+inherit linux-mod-r1 fcaps
 DESCRIPTION="Bypasses Deep Packet Inspection (DPI) systems that rely on SNI"
 HOMEPAGE="https://github.com/Waujito/youtubeUnblock"
@ -30,6 +30,14 @@ src_prepare() {
        default
        sed -i "s@^KERNEL_BUILDER_MAKEDIR:=.*@KERNEL_BUILDER_MAKEDIR:=/lib/modules/${KV_FULL}/build@" kmake.mk || die "Fail to set desired kernel version in the Makefile"
        sed -i -e "/\[Service\]/a DynamicUser=true" \
        -e "/\[Service\]/a AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN" \
        -e "/\[Service\]/a CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW" \
        -e "/\[Service\]/a RestrictNamespaces=yes" \
        -e "/\[Service\]/a ProtectSystem=full" \
        -e "/\[Service\]/a ProtectHome=true" \
        -e "/\[Service\]/a PrivateTmp=true" \
        youtubeUnblock.service
 }
 src_compile() {
@ -54,6 +62,10 @@ src_install() {
 }
 pkg_postinst() {
 		if use uspace; then
 			fcaps cap_net_raw,cap_net_admin "${EROOT}"/usr/bin/"${PN}"
 		fi
        if use module-src && ! use modules; then
                einfo
                einfo "You have enabled the module-src USE flag without the modules USE"