Pushed, thank you! On 7/9/21 7:01 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote:
Adds a number of sandboxing and other hardening options to the paccache.service file.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..927574f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,30 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native
-- Best, Daniel <https://danielcapella.com>