[arch-commits] Commit in cozy-stack/trunk (PKGBUILD cozy-stack.service)

Bruno Pagani archange at gemini.archlinux.org
Sun Jul 25 02:10:30 UTC 2021 

    Date: Sunday, July 25, 2021 @ 02:10:28
  Author: archange
Revision: 984933

Harden systemd service a bit more

Modified:
  cozy-stack/trunk/PKGBUILD
  cozy-stack/trunk/cozy-stack.service

--------------------+
 PKGBUILD           |    4 ++--
 cozy-stack.service |   27 ++++++++++++++++-----------
 2 files changed, 18 insertions(+), 13 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-07-25 01:24:14 UTC (rev 984932)
+++ PKGBUILD	2021-07-25 02:10:28 UTC (rev 984933)
@@ -2,7 +2,7 @@
 
 pkgname=cozy-stack
 pkgver=1.4.36
-pkgrel=1
+pkgrel=2
 epoch=1
 pkgdesc="Digital home: brings all your web services in the same private space – Stack component"
 arch=(x86_64)
@@ -22,7 +22,7 @@
         ${pkgname}.tmpfiles)
 sha256sums=('b9d13bc51a9ae9dec9141b8b391900ccd3ab81933ecd4c7d9606c95f3c8729f8'
             'a6ae871ec726f81d091918dffae4025b993656551185662242dcc2f7de4516c3'
-            '6cb30c0a6d45b30827463b26c43fb2e1df9402392e6f23da1622e044ab84b580'
+            '4ef3e901725167edd970a7f288e60f3729c12ae8a07289b6bb09bc96d6851b42'
             'a6bea52350e85163c3141509a52903223fa0f6e7390b1b1f9336c326a8fff984'
             '04043ed0b2bf1c811417eec3b89a049f5353ad16f032497ff5c9a610eafa879d')
 

Modified: cozy-stack.service
===================================================================
--- cozy-stack.service	2021-07-25 01:24:14 UTC (rev 984932)
+++ cozy-stack.service	2021-07-25 02:10:28 UTC (rev 984933)
@@ -11,27 +11,32 @@
 StateDirectory=cozy
 ExecStart=/usr/bin/cozy-stack serve
 Restart=always
+AmbientCapabilities=
 CapabilityBoundingSet=
+LockPersonality=true
+#Not compatible with NodeJS
+#MemoryDenyWriteExecute=true
 NoNewPrivileges=True
-#SecureBits=noroot-locked
-ProtectSystem=strict
-ProtectHome=true
+PrivateDevices=true
 PrivateTmp=true
-PrivateDevices=true
 PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
 ProtectHostname=true
-ProtectClock=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
 ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-#Not compatible with NodeJS
-#MemoryDenyWriteExecute=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
+#SecureBits=noroot-locked
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target

More information about the arch-commits mailing list