| Message ID | 20211130125356.ivmvurk4uccmna6t@gmail.com |
|---|---|
| State | New |
| Headers | show
Return-Path: <pacman-contrib-bounces@lists.archlinux.org> Delivered-To: patchwork@archlinux.org Received: from mail.archlinux.org [2a01:4f9:c010:3052::1] by patchwork.archlinux.org with IMAP (fetchmail-6.4.24) for <fetchmail@localhost> (single-drop); Tue, 30 Nov 2021 12:54:04 +0000 (UTC) Received: from mail.archlinux.org by mail.archlinux.org with LMTP id uKWMFewepmHIpAUAK+/4rw (envelope-from <pacman-contrib-bounces@lists.archlinux.org>) for <patchwork@archlinux.org>; Tue, 30 Nov 2021 12:54:04 +0000 Received: from lists.archlinux.org (lists.archlinux.org [IPv6:2a01:4f9:c010:9eb4::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.archlinux.org (Postfix) with ESMTPS id 7D967ADEAF9; Tue, 30 Nov 2021 12:54:03 +0000 (UTC) Received: from lists.archlinux.org (localhost [IPv6:::1]) by lists.archlinux.org (Postfix) with ESMTP id 37025A170A2; Tue, 30 Nov 2021 12:54:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=lists.archlinux.org; s=dkim-ed25519; t=1638276843; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=37Gia+TJhAm/ajv5vmQW9OjJZKT+ZHqjRWEdekLNe0E=; b=9Qk3EEt4CyStH3qW0htLi9g4KbHajgZqOL8kpdJJoguJdwoY9ESKjdHnc9jCxiG249K9Vv XEKvrrmIbuSjm/Bw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.archlinux.org; s=dkim-rsa; t=1638276843; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=37Gia+TJhAm/ajv5vmQW9OjJZKT+ZHqjRWEdekLNe0E=; b=okuncKghbmQpwJ0x92aVIWYC6KdWSSzNdwbymmWEwYijS0v4luldFEcyVns8SVbbhwh60C i6XdmOuivrVltRkFwrNnQ37IrMNaPQMk0MIKFpAVSyDOv8m7wKnvK6dFA73FEE17+PPVRV QWcfFGQIkbep1cOcB2Sh0sTEwkSWIxahiZtOmig3Vf7ilwoqKit/VaX0uYfKKynUcfyiiw kTDQXqVq9KlnT8P8UMMKk+UaJaP2LAE7nbPmzYpGr2ZNQDuKngfItPWtvit/umnvPGFPSX ryLsmOpq8JFNpg5kvoYDGjmd8xeRCXbxTXDIUnLeaeEPzvzZvLn81TNdEMkc2IYPp3CrHE Ib8hLs7g0LGx/ZW3YdqG13op8vpvYtEmHrQlKvp3Or/5EisT5wyUsbyJX11HCOnQ/TJwZQ 2Iz2F3uuB18CebEbI4dlYKmosnlO6zF+Wp8Flri/K71NJWrKSuUqQcZ+Pa7qXjfmIRLpjC JzC2PIb5uzqprK2R7eZCbxnwvIAHDim9YiKyZySgHn3Q5+a9jlSYrqgyJ5AjxGBdcMSrER 5ZQoF0ADqA3oBlUhkwKMrdXR+YgwOCp95llFMbHzjlGPO+GtAJNOfXMTKvw+Y5dHCmBAyt PmadH1j57HI+Uf18ID9BKXucrxYuu1thxYomJBbUIOiH8aJrvqiZ0= X-Original-To: pacman-contrib@lists.archlinux.org Delivered-To: pacman-contrib@lists.archlinux.org Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lists.archlinux.org (Postfix) with ESMTPS id E6670A17090 for <pacman-contrib@lists.archlinux.org>; Tue, 30 Nov 2021 12:54:00 +0000 (UTC) Received: by mail-wm1-x333.google.com with SMTP id p3-20020a05600c1d8300b003334fab53afso19435351wms.3 for <pacman-contrib@lists.archlinux.org>; Tue, 30 Nov 2021 04:54:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:in-reply-to; bh=37Gia+TJhAm/ajv5vmQW9OjJZKT+ZHqjRWEdekLNe0E=; b=PRNh9KIbEhgvbqStJQHDwjEAgXROnRlAn8N+YVknA3heOP2thU605G1kp2nIGbc4Mz 3xtug3KTS+2UbF0Cf6PGgaCDFYWKqeZL1uLkAf2Sgp7jin/4XoUgUwHCdeKqWZrqBaXm BjWDTM2rCD2VvJML+QIjlYcDGTQoo1KmdIJc224LK5niBHrFgWdf2oq2dzKyUaGBRKog sk0X5uRyA/DkSBuTtUT1DgbuuLod8l8mLh4fTfGLOKpJ0k9Khv+M6OnkBIhcdqrnlXIt 5x9L3PCUV9rwZK1fkQ/rJIrxYZpAxedkRBsXGR3mZxadeNRFAfzL2NSGjskuxwsGsJbJ eklA== X-Gm-Message-State: AOAM531JLXF2xvuDB3oyBbXFMnNIOtEqrHsq4NWEWcQdSdjBzqjgFlmh NIbNI5wDDoYVoV4ekUoKfJAPXCEQ0kuw3w== X-Google-Smtp-Source: ABdhPJwuhmhPeBJtnW0eJz0r/2M0UBz9nC37Btso4yA2xR1y/5teBf3IjW18nU+jsc2cxtC4ibmL/g== X-Received: by 2002:a7b:c084:: with SMTP id r4mr4757610wmh.107.1638276840142; Tue, 30 Nov 2021 04:54:00 -0800 (PST) Received: from gmail.com (h88-129-191-159.cust.a3fiber.se. [88.129.191.159]) by smtp.gmail.com with ESMTPSA id d188sm2424577wmd.3.2021.11.30.04.53.59 for <pacman-contrib@lists.archlinux.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 04:53:59 -0800 (PST) Date: Tue, 30 Nov 2021 13:53:56 +0100 To: pacman-contrib@lists.archlinux.org Subject: [PATCH 2/2] paccache.service.in: Restrict all (network) address families Message-ID: <20211130125356.ivmvurk4uccmna6t@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kq7lbu3j63ipaui7" Content-Disposition: inline In-Reply-To: <20211130123822.54xbnorwntnuttol@gmail.com> X-BeenThere: pacman-contrib@lists.archlinux.org X-Mailman-Version: 2.1.37 Precedence: list List-Id: Discussion list for pacman-contrib development <pacman-contrib.lists.archlinux.org> List-Unsubscribe: <https://lists.archlinux.org/options/pacman-contrib>, <mailto:pacman-contrib-request@lists.archlinux.org?subject=unsubscribe> List-Archive: <https://lists.archlinux.org/pipermail/pacman-contrib/> List-Post: <mailto:pacman-contrib@lists.archlinux.org> List-Help: <mailto:pacman-contrib-request@lists.archlinux.org?subject=help> List-Subscribe: <https://lists.archlinux.org/listinfo/pacman-contrib>, <mailto:pacman-contrib-request@lists.archlinux.org?subject=subscribe> From: =?utf-8?q?Frederik_=E2=80=9CFreso=E2=80=9D_S=2E_Olesen_via_pacman-cont?= =?utf-8?q?rib?= <pacman-contrib@lists.archlinux.org> Reply-To: Discussion list for pacman-contrib development <pacman-contrib@lists.archlinux.org> Cc: Frederik =?utf-8?b?4oCcRnJlc2/igJ0gUy4=?= Olesen <freso.dk@gmail.com> Errors-To: pacman-contrib-bounces@lists.archlinux.org Sender: "pacman-contrib" <pacman-contrib-bounces@lists.archlinux.org> Authentication-Results: mail.archlinux.org; dkim=pass header.d=lists.archlinux.org header.s=dkim-ed25519 header.b=9Qk3EEt4; dkim=pass header.d=lists.archlinux.org header.s=dkim-rsa header.b=okuncKgh; dmarc=pass (policy=none) header.from=archlinux.org; spf=pass (mail.archlinux.org: domain of pacman-contrib-bounces@lists.archlinux.org designates 2a01:4f9:c010:9eb4::1 as permitted sender) smtp.mailfrom=pacman-contrib-bounces@lists.archlinux.org X-Rspamd-Queue-Id: 7D967ADEAF9 X-Spamd-Result: default: False [-6.01 / 15.00]; SIGNED_PGP(-2.00)[]; DWL_DNSWL_MED(-2.00)[archlinux.org:dkim]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[archlinux.org,none]; R_DKIM_ALLOW(-0.20)[lists.archlinux.org:s=dkim-ed25519,lists.archlinux.org:s=dkim-rsa]; RCVD_IN_DNSWL_MED(-0.20)[2a01:4f9:c010:9eb4::1:from]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f9:c010:9eb4::1]; MAILLIST(-0.20)[mailman]; HAS_LIST_UNSUB(-0.01)[]; TAGGED_RCPT(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[pacman-contrib@lists.archlinux.org]; RCVD_COUNT_FIVE(0.00)[5]; PREVIOUSLY_DELIVERED(0.00)[pacman-contrib@lists.archlinux.org]; NEURAL_HAM(-0.00)[-1.000]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::333:received]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f9::/32, country:DE]; REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_NEQ_ENVFROM(0.00)[pacman-contrib@lists.archlinux.org,pacman-contrib-bounces@lists.archlinux.org]; RCPT_COUNT_TWO(0.00)[2]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; DKIM_TRACE(0.00)[lists.archlinux.org:+]; FREEMAIL_CC(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Server: mail.archlinux.org |
| Series |
[1/2] paccache.service.in: Add @system-service to SystemCallFilter
|
expand
|
diff --git a/src/paccache.service.in b/src/paccache.service.in index a821daf..57390ea 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -28,7 +28,7 @@ ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes -RestrictAddressFamilies=AF_UNIX +RestrictAddressFamilies=none RestrictNamespaces=yes LockPersonality=yes MemoryDenyWriteExecute=yes
RestrictAddressFamilies used to not have an option to restrict all address families, but systemd 249 introduced a special value "none" exactly for this purpose. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)