[arch-commits] Commit in dnscrypt-proxy/trunk (PKGBUILD dnscrypt-proxy.service)

David Runge dvzrv at archlinux.org
Sat Mar 7 18:14:16 UTC 2020 

    Date: Saturday, March 7, 2020 @ 18:14:16
  Author: dvzrv
Revision: 591238

upgpkg: dnscrypt-proxy 2.0.39-3: Adding all possible hardening options to dnscrypt-proxy.service.

Modified:
  dnscrypt-proxy/trunk/PKGBUILD
  dnscrypt-proxy/trunk/dnscrypt-proxy.service

------------------------+
 PKGBUILD               |    4 ++--
 dnscrypt-proxy.service |   29 ++++++++++++++++++++---------
 2 files changed, 22 insertions(+), 11 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-03-07 18:12:18 UTC (rev 591237)
+++ PKGBUILD	2020-03-07 18:14:16 UTC (rev 591238)
@@ -5,7 +5,7 @@
 
 pkgname=dnscrypt-proxy
 pkgver=2.0.39
-pkgrel=2
+pkgrel=3
 pkgdesc="DNS proxy, supporting encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS"
 arch=('x86_64')
 url="https://dnscrypt.info"
@@ -26,7 +26,7 @@
         "${pkgname}.socket"
         'configuration.diff')
 sha512sums=('d4eacd8d1989b99d9932d66ef609948558af26f9db1fc37acd6b5609e2a410d20828e32f2b79f2f9fbdf822998af641aec20128e4c58233663929106e29d8e24'
-            'aa871927bbc37d0c629e75a39cbfe50ce6062a19d7fe5b61895c604d6a480ba8f484cf207943c6ee7bf2dc3c7799d8f7a2b1ea5c8e586920c97730a7c503985e'
+            'a5ec1df803436b2330861f2121fc39337cafd80cff39d29f10499ec63df7232343c249ba7ef9abbd395239d6cd482d65fd7654d196f8363feca85dd8c75f2e15'
             '56a56e87032da9316b392b0613124b0743673041596c717005541ae9b3994c7fc16c02497ea773d321f45d8e0f9ea8fda00783062cef4d5c8277b5b6f7cb10d5'
             '456a81906c9713f7b9bdc6e152d3688899da6f760758fce91a9c625da3d7286bf0fd1d54419a57aa5ec1d9d50e1d2db32b6d5f36c2f265e227dc7e8eef65cfdd')
 

Modified: dnscrypt-proxy.service
===================================================================
--- dnscrypt-proxy.service	2020-03-07 18:12:18 UTC (rev 591237)
+++ dnscrypt-proxy.service	2020-03-07 18:14:16 UTC (rev 591238)
@@ -5,20 +5,31 @@
 Before=nss-lookup.target
 
 [Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CacheDirectory=dnscrypt-proxy
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DynamicUser=yes
+ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
+LockPersonality=yes
+LogsDirectory=dnscrypt-proxy
+MemoryDenyWriteExecute=true
 NonBlocking=true
-ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
-DynamicUser=yes
-ProtectSystem=strict
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectControlGroups=yes
 ProtectHome=yes
-ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-LockPersonality=yes
-CacheDirectory=dnscrypt-proxy
-LogsDirectory=dnscrypt-proxy
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
 RuntimeDirectory=dnscrypt-proxy
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
 
 [Install]
 WantedBy=multi-user.target

More information about the arch-commits mailing list