[arch-commits] Commit in radicale/trunk (PKGBUILD radicale.service)
Bruno Pagani
archange at gemini.archlinux.org
Sun Jul 25 01:20:13 UTC 2021
Date: Sunday, July 25, 2021 @ 01:20:13
Author: archange
Revision: 984929
Harden systemd service a bit more
Modified:
radicale/trunk/PKGBUILD
radicale/trunk/radicale.service
------------------+
PKGBUILD | 6 +++---
radicale.service | 15 +++++++++------
2 files changed, 12 insertions(+), 9 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-07-24 23:45:59 UTC (rev 984928)
+++ PKGBUILD 2021-07-25 01:20:13 UTC (rev 984929)
@@ -6,7 +6,7 @@
pkgname=radicale
_name=Radicale
pkgver=3.0.6
-pkgrel=2
+pkgrel=3
pkgdesc='Simple calendar (CalDAV) and contact (CardDAV) server'
arch=('any')
url="https://radicale.org/"
@@ -25,11 +25,11 @@
sha512sums=('e9741547395fae8886ad84b6807422ebb196f5293d484f5f6136498058576cff697e28c117216f151d56494af83593347ceee40a6efa21272b803d0f301a396d'
'56dffb66e018cfbf158dc5d8fe638b3cb31229945f659aae5623f219bcd1d68ddc375f1633fa8e857a9b2f50c9e05a06efce165370137d6e116a4f187466637f'
'9d0dd88e4a34e9f97abda1785698e4b2a5e8202063deeb91b84e13c05e00b07e45b8d4d9eca09b9241b1138bbbfdc999dba0135c18f5bc0c08d65b0cd83b367b'
- '6f411daf18fbeeb7cc8626652f4b87ac6ec5e4ec1212821c426de711c907be41ab995d5b35be4ff0d663edb1028f99d6c07a53158acf519e7560e230c022c986')
+ '0f74a662e2eee56a89f5735e686910043ad5589b638e56a7ad3caa6d3b111cfbf1c131fe1b2ee34ce0d10d2f8a041a183f1382b1e1c9594f7e793c92161ef17a')
b2sums=('fa4b70c9920d518df6c939395eca857c237a75218b90ada45564f2d84266d65df12898e4efbb52905829948061e10e72b5442943fd5061a28447330ae8d491e8'
'b3af60e144ef857e42ec672e806e9600265ab7d2ea4a75011de9ab56918a008437afdacb301df210b54424fb7ff1e9a332831c67b2e58fd6bc0a0aa1eebe8909'
'41916d62f5e3f1060bd21db0722abe837754a4cb915af218c904dafac4b06794f8fde2e34486fb7392777b4738502f3df4c1390b835050045337585b064e23bb'
- '5ae0e87d4235a864ca482a6701e0631cdaccc3dceef71237d5bd708be08c3b7e1890793d01f8c51eaa108a097cfefbb31abb71cf69b195c0f50f95720965391f')
+ '8d7e732bb7430428db2b60ffd8b4b1c3e85cbda4a1b900ae28d80c46a64e97ab484d9cc13aaa2582eeca4063f4e74141754f1e67769d444b08b3663f62cf8bf1')
prepare() {
mv -v ${_name}-${pkgver} ${pkgname}-${pkgver}
Modified: radicale.service
===================================================================
--- radicale.service 2021-07-24 23:45:59 UTC (rev 984928)
+++ radicale.service 2021-07-25 01:20:13 UTC (rev 984929)
@@ -11,16 +11,18 @@
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
+PrivateDevices=yes
PrivateTmp=yes
-PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateUsers=yes
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
-ProtectControlGroups=true
-ReadWritePaths=/var/lib/radicale
+ProtectProc=invisible
+ProtectSystem=strict
RemoveIPC=true
Restart=on-failure
RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
@@ -27,7 +29,9 @@
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
+StateDirectory=radicale
SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@resources
UMask=0027
@@ -35,4 +39,3 @@
[Install]
WantedBy=multi-user.target
-
More information about the arch-commits
mailing list