| Message ID | 20210709082137.jfz65japcq2nenv6@gmail.com |
|---|---|
| State | Deferred |
| Headers | show |
| Series | [1/2] paccache.service.in: Harden unit | expand |
On 09/07/2021 09:21, Frederik “Freso” S. Olesen via pacman-contrib wrote: > Adds a number of sandboxing and other hardening options to the > paccache.service file. > > Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> > --- > src/Makefile.am | 2 ++ > src/paccache.service.in | 28 ++++++++++++++++++++++++++++ > 2 files changed, 30 insertions(+) > > diff --git a/src/Makefile.am b/src/Makefile.am > index eef0590..e5af195 100644 > --- a/src/Makefile.am > +++ b/src/Makefile.am > @@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS) > conffile = ${sysconfdir}/pacman.conf > dbpath = ${localstatedir}/lib/pacman/ > gpgdir = ${sysconfdir}/pacman.d/gnupg/ > +cachedir = ${localstatedir}/cache/pacman > > bin_SCRIPTS = \ > $(OURSCRIPTS) > @@ -95,6 +96,7 @@ AM_CFLAGS = \ > > edit = sed \ > -e 's|@bindir[@]|$(bindir)|g' \ > + -e 's|@cachedir[@]|$(cachedir)|g' \ > -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ > -e 's|@localstatedir[@]|$(localstatedir)|g' \ > -e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \ > diff --git a/src/paccache.service.in b/src/paccache.service.in > index cd28e67..0f71f5f 100644 > --- a/src/paccache.service.in > +++ b/src/paccache.service.in > @@ -4,3 +4,31 @@ Description=Remove unused cached package files > [Service] > Type=oneshot > ExecStart=@bindir@/paccache -r > +# Sandboxing and other hardening > +ProtectProc=invisible > +ProcSubset=pid > +NoNewPrivileges=yes > +ProtectSystem=strict > +ProtectHome=yes > +ReadWritePaths=@cachedir@/pkg I and many others have multiple custom cachedirs. > +PrivateTmp=yes > +PrivateDevices=yes > +PrivateNetwork=yes > +PrivateIPC=yes > +PrivateUsers=yes > +ProtectHostname=yes > +ProtectClock=yes > +ProtectKernelTunables=yes > +ProtectKernelModules=yes > +ProtectKernelLogs=yes > +ProtectControlGroups=yes > +RestrictAddressFamilies=AF_UNIX > +RestrictNamespaces=yes > +LockPersonality=yes > +MemoryDenyWriteExecute=yes > +RestrictRealtime=yes > +RestrictSUIDSGID=yes > +RemoveIPC=yes > +PrivateMounts=yes > +SystemCallFilter=@file-system > +SystemCallArchitectures=native >
diff --git a/src/Makefile.am b/src/Makefile.am index eef0590..e5af195 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS) conffile = ${sysconfdir}/pacman.conf dbpath = ${localstatedir}/lib/pacman/ gpgdir = ${sysconfdir}/pacman.d/gnupg/ +cachedir = ${localstatedir}/cache/pacman bin_SCRIPTS = \ $(OURSCRIPTS) @@ -95,6 +96,7 @@ AM_CFLAGS = \ edit = sed \ -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@cachedir[@]|$(cachedir)|g' \ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \ -e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \ diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..0f71f5f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,31 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +ReadWritePaths=@cachedir@/pkg +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native
Adds a number of sandboxing and other hardening options to the paccache.service file. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/Makefile.am | 2 ++ src/paccache.service.in | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+)