[arch-commits] Commit in umurmur/trunk (3 files)
David Runge
dvzrv at archlinux.org
Sat Jan 9 00:30:36 UTC 2021
Date: Saturday, January 9, 2021 @ 00:30:35
Author: dvzrv
Revision: 814255
upgpkg: umurmur 0.2.18-1: Upgrade to 0.2.18.
Switch to openssl as TLS provider as it is upstream's default.
Patch cmake setup to install the config with more strict permissions to correct location.
Make build and installation more verbose.
Harden the systemd system service further.
Added:
umurmur/trunk/umurmur-0.2.18-cmake.patch
Modified:
umurmur/trunk/PKGBUILD
umurmur/trunk/umurmur.service
----------------------------+
PKGBUILD | 43 ++++++++++++++++------------
umurmur-0.2.18-cmake.patch | 26 +++++++++++++++++
umurmur.service | 64 +++++++++++++++++++++++++++++++++----------
3 files changed, 101 insertions(+), 32 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-01-09 00:30:01 UTC (rev 814254)
+++ PKGBUILD 2021-01-09 00:30:35 UTC (rev 814255)
@@ -5,28 +5,38 @@
# Contributor: xav <xav at ethertricks dot net>
pkgname=umurmur
-pkgver=0.2.17
-pkgrel=19
+pkgver=0.2.18
+pkgrel=1
pkgdesc='Minimalistic Mumble server'
url="https://github.com/umurmur/umurmur"
arch=('x86_64')
license=('BSD')
-depends=('glibc')
-makedepends=('cmake' 'libconfig' 'protobuf-c' 'mbedtls')
+depends=('glibc' 'openssl')
+makedepends=('cmake' 'libconfig' 'protobuf-c')
backup=('etc/umurmur/umurmur.conf')
source=(${pkgname}-${pkgver}.tar.gz::https://github.com/umurmur/umurmur/archive/${pkgver}.tar.gz
+ "${pkgname}-0.2.18-cmake.patch"
umurmur.sysusers
umurmur.service
umurmur.tmpfiles)
-sha256sums=('e77b7b6616768f4a1c07442afe49a772692f667b00c23cc85909d4dd0ce206d2'
- '0fc68df464ee51a431d934d068aed0be5f8c5e64d0bd29848f97532d39f8c310'
- 'b8b22b6299777fbd1d12e3105280c8585ceca9b6caf7b8d3ab0642c5a56b031f'
- '287068f47fc035a70e2ae0c8434e8013f176d185bf7688216c36976982fe4491')
-sha512sums=('a496a51fd7815ad117f5aee17bb78cbd319c584ad60ab8aebbfd8ddf7b1760f443f2337bc74be1e0d5af17d3c3df2ae6c9060eca576cf1e6ed4c6cb0825e9c15'
+sha512sums=('bd1cd7149684dbe42b9804c9a5539cdb2becf6b721d74bd88d154e9037d3289ab57ee816c0592a0167ddd302da68d94017c86deb96348d272ec9bd21e9628656'
+ 'b3f0a6c7d7cfe94e6ffceed832b8bcdda256e27f350abf80697d81ba154cd529a8b54fb8dac05273886e75d137ebcd71b4c9c06fdb7d0f45f1345a7cf9418b3f'
'd84950a32ab8a2e84f5fe333cd2894e52aba624531644d106c982aa4ff04271d318543398fa7f48c719f26338679fa971bb5332472e9040ac9aa8a9b4a1f2832'
- '746a3e2d9e8c5154bdfb2cef6cbe39cccf0356bc1dde0434b92ec1a6b224a5bfa51fd15483c3ac5a75292eae7a6d4b0431ecb2a586bdd9fcc3fe9b2a7bff64a1'
+ '1e4c7c41fdcc37aa681080ee6f0bb617e7d7245d23e07b586807b2fcb3c04f4d5109e6fad50ec43738007f57e9585b5622f112be3b0def155b5ac144f88930a7'
'825b50448231b5d791e87d7c4c471fdfe2e9a1560dad6fc90c2f4f8d0c5ed682291bf20b147a6a8c7ae361aeb8b1a11c24c6d41ffc17f06fb0f5ccd8208a899a')
+b2sums=('45a6e247dee604861e70698350b7b0ee28fd7ee82a94f684eae8ff5ab7daa0c3446b32c4aa28b39e64588944b8b81c4e2a11db79d0bde9e4a2012e67b4125be2'
+ 'ff64c6179ebd6a21e3d51acef36c23955a4a1fcc1a9794686f8a0a447ec36f7c8b490c0ba553971bb76fbf77bda0600ddb4acf0163fa492d6e1dc75d29ba059d'
+ '549dda6277c3758d221a259d08d3f91658d7615b0c06ebf2af6f3966fd798ce6228ff9ccb653daeb1d2b592e029e96e756df779ad0d4a809e224f2071e5d76cc'
+ 'a4be46591c2e5315826708587a8e9f9416e8ce91580457b0a9fc36dc3749eeb5737a9e1ebc47387c160e1de897ab940c3badaeb03f06f542c4f76536df1d5590'
+ '355eb00fc390ff200c96ef179f2f8cab4b4a5aeca3db0781556b567de44996562f12f7cc69225159e8b1cdb26b0bacf38c7776cdc553bbe0745eb0228219df4c')
+prepare() {
+ cd ${pkgname}-${pkgver}
+ # fix config install directory
+ # https://github.com/umurmur/umurmur/pull/164
+ patch -Np1 -i "../${pkgname}-0.2.18-cmake.patch"
+}
+
build() {
cd ${pkgname}-${pkgver}
export CFLAGS+=" ${CPPFLAGS}"
@@ -33,24 +43,21 @@
export CXXFLAGS+=" ${CPPFLAGS}"
cmake -DCMAKE_INSTALL_PREFIX='/usr' \
-DCMAKE_BUILD_TYPE='None' \
- -DSSL=mbedtls \
-Wno-dev \
-B build \
-S .
- make -C build
+ make VERBOSE=1 -C build
}
package() {
- depends+=('libconfig.so' 'libmbedcrypto.so' 'libmbedtls.so' 'libmbedx509.so' 'libprotobuf-c.so')
+ depends+=('libconfig.so' 'libprotobuf-c.so')
cd ${pkgname}-${pkgver}
- make -C build DESTDIR="${pkgdir}" install
- install -vDm 640 "${pkgdir}/usr/etc/umurmur.conf" -t "${pkgdir}/etc/umurmur"
- rm -r "${pkgdir}/usr/etc"
+ make VERBOSE=1 DESTDIR="${pkgdir}" install -C build
install -vDm 644 "${srcdir}/umurmur.service" -t "${pkgdir}/usr/lib/systemd/system"
- install -vDm 644 LICENSE -t "${pkgdir}/usr/share/licenses/${pkgname}"
-
install -vDm 644 "${srcdir}/umurmur.sysusers" "${pkgdir}/usr/lib/sysusers.d/umurmur.conf"
install -vDm 644 "${srcdir}/umurmur.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/umurmur.conf"
+ install -vDm 644 LICENSE -t "${pkgdir}/usr/share/licenses/${pkgname}"
+ install -vDm 644 {AUTHORS,ChangeLog,README.md} -t "${pkgdir}/usr/share/doc/${pkgname}"
}
# vim: ts=2 sw=2 et:
Added: umurmur-0.2.18-cmake.patch
===================================================================
--- umurmur-0.2.18-cmake.patch (rev 0)
+++ umurmur-0.2.18-cmake.patch 2021-01-09 00:30:35 UTC (rev 814255)
@@ -0,0 +1,26 @@
+diff -ruN a/CMakeLists.txt b/CMakeLists.txt
+--- a/CMakeLists.txt 2020-12-31 09:56:25.000000000 +0100
++++ b/CMakeLists.txt 2021-01-07 17:29:04.152477922 +0100
+@@ -18,15 +18,16 @@
+
+ include(Options)
+ include(Tools)
++include(GNUInstallDirs)
+
+ find_package(Libconfig REQUIRED)
+ find_package(ProtobufC REQUIRED)
+
+ add_subdirectory(src)
+
+-find_path(OLD_CONFIG_FILE NAMES "umurmur.conf" PATHS ${CMAKE_INSTALL_PREFIX} PATH_SUFFIXES "etc")
+-
+-if(NOT OLD_CONFIG_FILE)
+- install(FILES "umurmur.conf.example" DESTINATION "etc" RENAME "umurmur.conf")
+-endif()
+-
++install(
++ FILES "umurmur.conf.example"
++ DESTINATION "/${CMAKE_INSTALL_SYSCONFDIR}/umurmur"
++ PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ
++ RENAME "umurmur.conf"
++)
Modified: umurmur.service
===================================================================
--- umurmur.service 2021-01-09 00:30:01 UTC (rev 814254)
+++ umurmur.service 2021-01-09 00:30:35 UTC (rev 814255)
@@ -3,24 +3,60 @@
After=network.target
[Service]
-Type=simple
-User=umurmur
-Group=umurmur
-PIDFile=/run/umurmurd.pid
+CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_PTRACE
+CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
+CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER
+CapabilityBoundingSet=~CAP_NET_ADMIN
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_KILL
+CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_SYS_BOOT
+CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_SYS_CHROOT
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
+CapabilityBoundingSet=~CAP_LEASE
+CapabilityBoundingSet=~CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CPUAccounting=true
+DevicePolicy=closed
ExecStartPre=/usr/bin/umurmurd -t -c /etc/umurmur/umurmur.conf
ExecStart=/usr/bin/umurmurd -d -r -c /etc/umurmur/umurmur.conf
ExecReload=/bin/kill -HUP $MAINPID
-PrivateDevices=yes
-PrivateTmp=yes
+Group=umurmur
+IPAccounting=true
+LimitRTPRIO=1
+LockPersonality=true
+MemoryAccounting=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PIDFile=/run/umurmurd.pid
+PrivateDevices=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
ProtectSystem=strict
ReadWriteDirectories=/etc/umurmur
-ProtectHome=yes
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-LockPersonality=yes
-NoNewPrivileges=yes
-LimitRTPRIO=1
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+UMask=007
+User=umurmur
[Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
\ No newline at end of file
More information about the arch-commits
mailing list