Adds a number of sandboxing and other hardening options to the paccache.service file. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/Makefile.am | 2 ++ src/paccache.service.in | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index eef0590..e5af195 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS) conffile = ${sysconfdir}/pacman.conf dbpath = ${localstatedir}/lib/pacman/ gpgdir = ${sysconfdir}/pacman.d/gnupg/ +cachedir = ${localstatedir}/cache/pacman bin_SCRIPTS = \ $(OURSCRIPTS) @@ -95,6 +96,7 @@ AM_CFLAGS = \ edit = sed \ -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@cachedir[@]|$(cachedir)|g' \ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \ -e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \ diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..0f71f5f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,31 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +ReadWritePaths=@cachedir@/pkg +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native -- 2.32.0