From patchwork Fri Jul  9 08:21:37 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?RnJlZGVyaWsg4oCcRnJlc2/igJ0gUy4gT2xlc2Vu?=
 <freso.dk@gmail.com>
X-Patchwork-Id: 1937
Return-Path: <pacman-contrib-bounces@lists.archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from mail.archlinux.org [95.216.189.61]
	by patchwork.archlinux.org with IMAP (fetchmail-6.4.19)
	for <fetchmail@localhost> (single-drop);
 Fri, 09 Jul 2021 08:21:47 +0000 (UTC)
Received: from mail.archlinux.org
	by mail.archlinux.org with LMTP
	id SdKADBsH6GBaSwAAK+/4rw
	(envelope-from <pacman-contrib-bounces@lists.archlinux.org>)
	for <patchwork@archlinux.org>; Fri, 09 Jul 2021 08:21:47 +0000
Received: from lists.archlinux.org (lists.archlinux.org
 [IPv6:2a01:4f9:c010:9eb4::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail.archlinux.org (Postfix) with ESMTPS id 951AA6F6BDF;
	Fri,  9 Jul 2021 08:21:46 +0000 (UTC)
Received: from lists.archlinux.org (localhost [IPv6:::1])
	by lists.archlinux.org (Postfix) with ESMTP id 7E299221FC2;
	Fri,  9 Jul 2021 08:21:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.archlinux.org;
	s=dkim-rsa; t=1625818906;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=S65zr6kzXzu6PzQ/TSakb2NAGJHMvuPZ0BwDamAfouI=;
	b=mX3QgkWs7iT/gM8Bo5heVD9KLNSRHNeQ7113U/zE4EP9SV9wZnLWyFUBBDQHEHvB/zyYSs
	5rCGZ6WeVoBSrUnpYkmbkYjfRIRlV58s8t7fBcM3gYSEyCN+NZSXzlbUIny653KpVf0vzt
	KwU+n3XD1F1wEWN+puRKPbk1nAV3Koh0WibubQbrpKUs4FSL5beqVifAQmB13XqiDbYL+n
	G9AlpiAcuKQ9ky+qcrFCy1NugGRevCEFmsQSZ6MgFhJDQX0XGfSH5lmX0RSG0FsEJ09XsX
	10TH/HZqZmcR3Y2IDcUqyb8HF8RR/KALpslJtexgJrXQXXMcu2mtHqoy9hU3aXi7CLWsE9
	/NZV85fie0tPwz2B5yq7IGA03rT1XwbdhlcCqFLbO3PoXJwItOAhCuFqmbHHbYGGFccw7S
	q3MwnWNjbyhtbhOv0ooh6o1UX+/W7so/zLGZwdZN4lgJRh0hqbvrFe0bkIYfMxXDEu/sxX
	vkWJMLfCo7wl1Dk1OxReVXh5gsnS750DT/zul1zfNdTd97RUWc8t4xWqIzzD6GRF+/SUtk
	LXvhmV/KfkiYVm0PtletaNvOWewfvdgxWwfQzk8zOC92WxzsTNkh6T+EsDfVQ7zNm15PlK
	9MCSnBb3yKpJf4n4q3MEvpsm1IMtlMiiO8IR2T1H9crB+rN6kFZtM=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
 d=lists.archlinux.org;
	s=dkim-ed25519; t=1625818906;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=S65zr6kzXzu6PzQ/TSakb2NAGJHMvuPZ0BwDamAfouI=;
	b=TtF7HrQrdXjyYkS4IVP5v3ybw7O0nGx+qZK9YrB2/ZvGVJDx08u9ZFZlnzV8GsA6FSXz3x
	bbKY+cCmNkWORuDg==
X-Original-To: pacman-contrib@lists.archlinux.org
Delivered-To: pacman-contrib@lists.archlinux.org
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com
 [IPv6:2607:f8b0:4864:20::42c])
 by lists.archlinux.org (Postfix) with ESMTPS id 6A05F221FB7
 for <pacman-contrib@lists.archlinux.org>;
 Fri,  9 Jul 2021 08:21:45 +0000 (UTC)
Received: by mail-pf1-x42c.google.com with SMTP id a127so8068198pfa.10
 for <pacman-contrib@lists.archlinux.org>;
 Fri, 09 Jul 2021 01:21:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition;
 bh=S65zr6kzXzu6PzQ/TSakb2NAGJHMvuPZ0BwDamAfouI=;
 b=SQoaKdFIbGNuue4pJe/64H9EUsMDwGYm/XZTbOo0O/xCuR1MeItOvlOdr75k9SeAV3
 qvD0Umyk+abv/sIVfG4iDeWMbyYB3N7aXQhoolCRrbtvLL6RGREjyiPSvCuBxMnOAXA1
 xyjdpBwcoAQAGsVYC7wwVOuwEtHoV2Z8UH9nlP/HmUf2Ik+ljCef6NF9J4Mw5vAyFP5e
 75GjmNbcjTrVEZazE5N1SApgU8Y40Vm8MRXgRdNDIDNXoSAM/13Zag5YgPATMHr2wxcC
 loZHZa0O2QV013YGB3/weYqHwsO68P2Pah2DKUD4lRug8zz5UGFTin+ZvAix6x1BOn84
 68jA==
X-Gm-Message-State: AOAM533l60tCxmGPZoMMXGZvVEYpZtNsdwtLsFJ1MIy7AgcKyvwuLuao
 CN3Cz9HbnNdH8cUtVY7VN2Y4OPzFh88=
X-Google-Smtp-Source: 
 ABdhPJwKrDZHEj3Y9BsTj8bHW6OfQTTeTp2i3CMcZj5M0cB6kiK3i8A09ukoaEsS1sOLUJ22HPiqiQ==
X-Received: by 2002:a62:8f4a:0:b029:327:6616:410f with SMTP id
 n71-20020a628f4a0000b02903276616410fmr9194380pfd.68.1625818903123;
 Fri, 09 Jul 2021 01:21:43 -0700 (PDT)
Received: from gmail.com (h88-129-191-159.cust.a3fiber.se. [88.129.191.159])
 by smtp.gmail.com with ESMTPSA id u2sm4854136pja.20.2021.07.09.01.21.40
 for <pacman-contrib@lists.archlinux.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 09 Jul 2021 01:21:42 -0700 (PDT)
Date: Fri, 9 Jul 2021 10:21:37 +0200
To: pacman-contrib@lists.archlinux.org
Subject: [PATCH 1/2] paccache.service.in: Harden unit
Message-ID: <20210709082137.jfz65japcq2nenv6@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
X-BeenThere: pacman-contrib@lists.archlinux.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion list for pacman-contrib development
 <pacman-contrib.lists.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/pacman-contrib>,
 <mailto:pacman-contrib-request@lists.archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/pacman-contrib/>
List-Post: <mailto:pacman-contrib@lists.archlinux.org>
List-Help: <mailto:pacman-contrib-request@lists.archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/pacman-contrib>,
 <mailto:pacman-contrib-request@lists.archlinux.org?subject=subscribe>
From: =?utf-8?q?Frederik_=E2=80=9CFreso=E2=80=9D_S=2E_Olesen_via_pacman-cont?=
	=?utf-8?q?rib?= <pacman-contrib@lists.archlinux.org>
Reply-To: Discussion list for pacman-contrib development
 <pacman-contrib@lists.archlinux.org>
Cc: Frederik =?utf-8?b?4oCcRnJlc2/igJ0gUy4=?= Olesen <freso.dk@gmail.com>
Errors-To: pacman-contrib-bounces@lists.archlinux.org
Sender: "pacman-contrib" <pacman-contrib-bounces@lists.archlinux.org>
Authentication-Results: mail.archlinux.org;
	dkim=pass header.d=lists.archlinux.org header.s=dkim-rsa header.b=mX3QgkWs;
	dkim=pass header.d=lists.archlinux.org header.s=dkim-ed25519
 header.b=TtF7HrQr;
	dmarc=pass (policy=none) header.from=archlinux.org;
	spf=pass (mail.archlinux.org: domain of
 pacman-contrib-bounces@lists.archlinux.org designates 2a01:4f9:c010:9eb4::1
 as permitted sender) smtp.mailfrom=pacman-contrib-bounces@lists.archlinux.org
X-Rspamd-Queue-Id: 951AA6F6BDF
X-Spamd-Result: default: False [-6.01 / 15.00];
	 HAS_REPLYTO(0.00)[pacman-contrib@lists.archlinux.org];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 TO_DN_SOME(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip6:2a01:4f9:c010:9eb4::1:c];
	 REPLYTO_ADDR_EQ_FROM(0.00)[];
	 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
	 DKIM_TRACE(0.00)[lists.archlinux.org:+];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(-0.50)[archlinux.org,none];
	 RCVD_IN_DNSWL_MED(-0.20)[2a01:4f9:c010:9eb4::1:from];
	 MAILLIST(-0.20)[mailman];
	 SIGNED_PGP(-2.00)[];
	 FORGED_RECIPIENTS_MAILLIST(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:24940, ipnet:2a01:4f9::/32, country:DE];
	 FROM_NEQ_ENVFROM(0.00)[pacman-contrib@lists.archlinux.org,pacman-contrib-bounces@lists.archlinux.org];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[lists.archlinux.org:s=dkim-rsa,lists.archlinux.org:s=dkim-ed25519];
	 RCVD_COUNT_FIVE(0.00)[5];
	 FROM_HAS_DN(0.00)[];
	 DWL_DNSWL_MED(-2.00)[archlinux.org:dkim];
	 TAGGED_RCPT(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[pacman-contrib@lists.archlinux.org];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 HAS_LIST_UNSUB(-0.01)[];
	 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::42c:received];
	 NEURAL_HAM(-0.00)[-1.000];
	 FREEMAIL_CC(0.00)[gmail.com];
	 FORGED_SENDER_MAILLIST(0.00)[]
X-Rspamd-Server: mail.archlinux.org

Adds a number of sandboxing and other hardening options to the
paccache.service file.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
---
 src/Makefile.am         |  2 ++
 src/paccache.service.in | 28 ++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/src/Makefile.am b/src/Makefile.am
index eef0590..e5af195 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS)
 conffile  = ${sysconfdir}/pacman.conf
 dbpath    = ${localstatedir}/lib/pacman/
 gpgdir    = ${sysconfdir}/pacman.d/gnupg/
+cachedir  = ${localstatedir}/cache/pacman
 
 bin_SCRIPTS = \
 	$(OURSCRIPTS)
@@ -95,6 +96,7 @@ AM_CFLAGS = \
 
 edit = sed \
 	-e 's|@bindir[@]|$(bindir)|g' \
+	-e 's|@cachedir[@]|$(cachedir)|g' \
 	-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
 	-e 's|@localstatedir[@]|$(localstatedir)|g' \
 	-e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \
diff --git a/src/paccache.service.in b/src/paccache.service.in
index cd28e67..0f71f5f 100644
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -4,3 +4,31 @@ Description=Remove unused cached package files
 [Service]
 Type=oneshot
 ExecStart=@bindir@/paccache -r
+# Sandboxing and other hardening
+ProtectProc=invisible
+ProcSubset=pid
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=@cachedir@/pkg
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateIPC=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=@file-system
+SystemCallArchitectures=native

From patchwork Fri Jul  9 10:10:52 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?RnJlZGVyaWsg4oCcRnJlc2/igJ0gUy4gT2xlc2Vu?=
 <freso.dk@gmail.com>
X-Patchwork-Id: 1938
Return-Path: <pacman-contrib-bounces@lists.archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from mail.archlinux.org [95.216.189.61]
	by patchwork.archlinux.org with IMAP (fetchmail-6.4.19)
	for <fetchmail@localhost> (single-drop);
 Fri, 09 Jul 2021 10:11:01 +0000 (UTC)
Received: from mail.archlinux.org
	by mail.archlinux.org with LMTP
	id ag1eObQg6GBbVgAAK+/4rw
	(envelope-from <pacman-contrib-bounces@lists.archlinux.org>)
	for <patchwork@archlinux.org>; Fri, 09 Jul 2021 10:11:00 +0000
Received: from lists.archlinux.org (lists.archlinux.org [95.217.236.249])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail.archlinux.org (Postfix) with ESMTPS id 04C726F72DB;
	Fri,  9 Jul 2021 10:10:59 +0000 (UTC)
Received: from lists.archlinux.org (localhost [IPv6:::1])
	by lists.archlinux.org (Postfix) with ESMTP id B3E8F222EA7;
	Fri,  9 Jul 2021 10:10:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.archlinux.org;
	s=dkim-rsa; t=1625825459;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=FVm4y9LTnRLeDuLERQ00Hxe6g+mnDjpltRVj6GV2rj8=;
	b=mgvddsp8icZ4T/wwJdy6zNrf/TotkwSv5JvpMYnsxYohvYTpiHEOGKQXmKXJXXr1ws+qv9
	/VOYfcwCCpJIwLXc+C3YfDOvSghhFURG21lB8YbGjZRSCRcQhWcda22PC76lSwxsYrgin6
	X35amJMg3Xcf9MHpSk4xKHvSVdZbg9EXZF6n+p8G8uELjgt+dd1kW/1NXMJP2P383t+zub
	+BuVEWyJj9BWKMupBLEkuIe8PNwHKdV8b7e0Yt2hot8yK7N6RtGkDgVE3A1FXqMCz5Cs1O
	nbvEYBD94vtqnzvvR+Baa5soavwAlR3jt+Z2VnhsM+Z6TMq0pxnecpCqx0o2gLWBSlDY7p
	OSORy6nGyaIS6ja/QpTH3jUZO3Y8l0ZtcAwQy8hA4D0vPqtBXLtXDa1IlK8RG3pUkuWx4A
	EZol4M3xUGFfRewG8QzGZH3/8qExQp2nnN+3CfVLCxdx2T+/5d9/gLNZ3WSlw5DvLV2TGJ
	bs3A3KqYOkM4gv7+HHKBdwdH5WBI2eO4lD2RCOEI2/UEtMK9FP9cVgyM/twhTIHMmbdHgx
	HZc1/ypiX8ZcRzDaN0xkImgatwpGU3ULoBqO4QCO+uL9868pjQpD/6tYRHEZWips594lCn
	D7YGTsZu5zH8MyJFWh+0O8KWKqhX42moHYbZtxfYgI9Cd3gTz7FOo=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
 d=lists.archlinux.org;
	s=dkim-ed25519; t=1625825459;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=FVm4y9LTnRLeDuLERQ00Hxe6g+mnDjpltRVj6GV2rj8=;
	b=BWL9yXJZICW9XIB4D27ls3iRazW8GTIV+mJlURQN2aY9tgjLuhOx/pa+t02/J1smeszwoX
	3LKhHydWCjlZauCQ==
X-Original-To: pacman-contrib@lists.archlinux.org
Delivered-To: pacman-contrib@lists.archlinux.org
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com
 [IPv6:2607:f8b0:4864:20::82d])
 by lists.archlinux.org (Postfix) with ESMTPS id F2C8A222E95
 for <pacman-contrib@lists.archlinux.org>;
 Fri,  9 Jul 2021 10:10:57 +0000 (UTC)
Received: by mail-qt1-x82d.google.com with SMTP id z25so4477142qto.12
 for <pacman-contrib@lists.archlinux.org>;
 Fri, 09 Jul 2021 03:10:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition:in-reply-to;
 bh=FVm4y9LTnRLeDuLERQ00Hxe6g+mnDjpltRVj6GV2rj8=;
 b=nhsyOp6sMONTahftEEtLL3vPls1A6orAMfGq3n3au2NT71DkOEUM7+tCPOTomD3km5
 VfYvEivX3qosHY4dgBunniZrLf8U6DJOgUzu2Td5bla7rDSG2MOH2vtcLLNpMDquKZsc
 0jRIOme9fE8H3JujqX/zaXeFqfypclQqq7QgVp885U/SdD+/d8Aem2d6kWJHG1TVdEAF
 b3hGETkpC/obbNtLlniWgwgMagbOCzumQVsa9oLbHO6NaP4t63NIWQhQahmGP4n+Ofbf
 Vp427S9hsjiPzYjm4h7S5Eymcd4HCB6cbGFlF2afp3mkAVy0ZjQvk36cUN9xMfctw2u9
 6j8w==
X-Gm-Message-State: AOAM531wgo1QCnqJtesSYxIxQVJ23WWqOXYJKKG+uR0pbEPauwvMd5JL
 WtsPvtCJ/yEwr+uodxKUA1OP5/ra0qw=
X-Google-Smtp-Source: 
 ABdhPJz4Q5YSf+oYiaJOIibwbn8CiArwJdx5p2TVJYQm9Qeog5YX2xcj6x3x0sel5Bg1+AbGu3xhVQ==
X-Received: by 2002:ac8:47d9:: with SMTP id
 d25mr22509595qtr.277.1625825456452;
 Fri, 09 Jul 2021 03:10:56 -0700 (PDT)
Received: from gmail.com (h88-129-191-159.cust.a3fiber.se. [88.129.191.159])
 by smtp.gmail.com with ESMTPSA id v20sm2005131qto.89.2021.07.09.03.10.55
 for <pacman-contrib@lists.archlinux.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 09 Jul 2021 03:10:55 -0700 (PDT)
Date: Fri, 9 Jul 2021 12:10:52 +0200
To: pacman-contrib@lists.archlinux.org
Subject: [PATCH 2/2] paccache.service.in: Lower priority of unit
Message-ID: <20210709101037.yjjcibln6s2ew7x7@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20210709082137.jfz65japcq2nenv6@gmail.com>
X-BeenThere: pacman-contrib@lists.archlinux.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion list for pacman-contrib development
 <pacman-contrib.lists.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/pacman-contrib>,
 <mailto:pacman-contrib-request@lists.archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/pacman-contrib/>
List-Post: <mailto:pacman-contrib@lists.archlinux.org>
List-Help: <mailto:pacman-contrib-request@lists.archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/pacman-contrib>,
 <mailto:pacman-contrib-request@lists.archlinux.org?subject=subscribe>
From: =?utf-8?q?Frederik_=E2=80=9CFreso=E2=80=9D_S=2E_Olesen_via_pacman-cont?=
	=?utf-8?q?rib?= <pacman-contrib@lists.archlinux.org>
Reply-To: Discussion list for pacman-contrib development
 <pacman-contrib@lists.archlinux.org>
Cc: Frederik =?utf-8?b?4oCcRnJlc2/igJ0gUy4=?= Olesen <freso.dk@gmail.com>
Errors-To: pacman-contrib-bounces@lists.archlinux.org
Sender: "pacman-contrib" <pacman-contrib-bounces@lists.archlinux.org>
Authentication-Results: mail.archlinux.org;
	dkim=pass header.d=lists.archlinux.org header.s=dkim-rsa header.b=mgvddsp8;
	dkim=pass header.d=lists.archlinux.org header.s=dkim-ed25519
 header.b=BWL9yXJZ;
	dmarc=pass (policy=none) header.from=archlinux.org;
	spf=pass (mail.archlinux.org: domain of
 pacman-contrib-bounces@lists.archlinux.org designates 95.217.236.249 as
 permitted sender) smtp.mailfrom=pacman-contrib-bounces@lists.archlinux.org
X-Rspamd-Queue-Id: 04C726F72DB
X-Spamd-Result: default: False [-6.01 / 15.00];
	 HAS_REPLYTO(0.00)[pacman-contrib@lists.archlinux.org];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 TO_DN_SOME(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:95.217.236.249];
	 REPLYTO_ADDR_EQ_FROM(0.00)[];
	 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
	 RCVD_IN_DNSWL_MED(-0.20)[95.217.236.249:from];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(-0.50)[archlinux.org,none];
	 DKIM_TRACE(0.00)[lists.archlinux.org:+];
	 MAILLIST(-0.20)[mailman];
	 SIGNED_PGP(-2.00)[];
	 FORGED_RECIPIENTS_MAILLIST(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE];
	 FROM_NEQ_ENVFROM(0.00)[pacman-contrib@lists.archlinux.org,pacman-contrib-bounces@lists.archlinux.org];
	 ARC_NA(0.00)[];
	 RCVD_COUNT_FIVE(0.00)[5];
	 R_DKIM_ALLOW(-0.20)[lists.archlinux.org:s=dkim-rsa,lists.archlinux.org:s=dkim-ed25519];
	 FROM_HAS_DN(0.00)[];
	 DWL_DNSWL_MED(-2.00)[archlinux.org:dkim];
	 TAGGED_RCPT(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[pacman-contrib@lists.archlinux.org];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 HAS_LIST_UNSUB(-0.01)[];
	 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::82d:received];
	 NEURAL_HAM(-0.00)[-1.000];
	 FREEMAIL_CC(0.00)[gmail.com];
	 FORGED_SENDER_MAILLIST(0.00)[]
X-Rspamd-Server: mail.archlinux.org

The unit will be run in the background and is not essential for systems
to operate, so giving it the lowest priority will help make it less
disruptive on its system.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
---
 src/paccache.service.in | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/paccache.service.in b/src/paccache.service.in
index 0f71f5f..79b1c91 100644
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -4,6 +4,13 @@ Description=Remove unused cached package files
 [Service]
 Type=oneshot
 ExecStart=@bindir@/paccache -r
+# Lowering priority
+OOMScoreAdjust=1000
+Nice=19
+CPUSchedulingPolicy=idle
+CPUSchedulingPriority=1
+IOSchedulingClass=idle
+IOSchedulingPriority=7
 # Sandboxing and other hardening
 ProtectProc=invisible
 ProcSubset=pid