| Message ID | 20210709110106.lli35ditcnz75psl@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v2,1/2] paccache.service.in: Harden unit | expand |
Pushed, thank you! On 7/9/21 7:01 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote: > Adds a number of sandboxing and other hardening options to the > paccache.service file. > > Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> > --- > src/paccache.service.in | 27 +++++++++++++++++++++++++++ > 1 file changed, 27 insertions(+) > > diff --git a/src/paccache.service.in b/src/paccache.service.in > index cd28e67..927574f 100644 > --- a/src/paccache.service.in > +++ b/src/paccache.service.in > @@ -4,3 +4,30 @@ Description=Remove unused cached package files > [Service] > Type=oneshot > ExecStart=@bindir@/paccache -r > +# Sandboxing and other hardening > +ProtectProc=invisible > +ProcSubset=pid > +NoNewPrivileges=yes > +ProtectSystem=full > +ProtectHome=yes > +PrivateTmp=yes > +PrivateDevices=yes > +PrivateNetwork=yes > +PrivateIPC=yes > +PrivateUsers=yes > +ProtectHostname=yes > +ProtectClock=yes > +ProtectKernelTunables=yes > +ProtectKernelModules=yes > +ProtectKernelLogs=yes > +ProtectControlGroups=yes > +RestrictAddressFamilies=AF_UNIX > +RestrictNamespaces=yes > +LockPersonality=yes > +MemoryDenyWriteExecute=yes > +RestrictRealtime=yes > +RestrictSUIDSGID=yes > +RemoveIPC=yes > +PrivateMounts=yes > +SystemCallFilter=@file-system > +SystemCallArchitectures=native
diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..927574f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,30 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native
Adds a number of sandboxing and other hardening options to the paccache.service file. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)