[arch-commits] Commit in gitea/trunk (PKGBUILD gitea.service)

Bruno Pagani archange at gemini.archlinux.org
Sun Jul 25 02:38:10 UTC 2021 

    Date: Sunday, July 25, 2021 @ 02:38:09
  Author: archange
Revision: 984935

Harden the systemd service a bit more

Modified:
  gitea/trunk/PKGBUILD
  gitea/trunk/gitea.service

---------------+
 PKGBUILD      |    4 ++--
 gitea.service |   23 +++++++++++++----------
 2 files changed, 15 insertions(+), 12 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-07-25 02:10:36 UTC (rev 984934)
+++ PKGBUILD	2021-07-25 02:38:09 UTC (rev 984935)
@@ -4,7 +4,7 @@
 
 pkgname=gitea
 pkgver=1.14.5
-pkgrel=1
+pkgrel=2
 pkgdesc="Painless self-hosted Git service, community managed."
 arch=(x86_64)
 url="https://gitea.io"
@@ -29,7 +29,7 @@
         gitea-arch-defaults.patch)
 sha256sums=(SKIP
             1521fd7edc3830c695698ffe9835709f1408040b5ec989f07410972c894fa8ba
-            d4e6b0dc3d5b40c3f1254b5a8bc8f62e0b1126e0559b1f024b3ebf0ccda91af8
+            0c4ebf8a458eee277740a5febb8b976a8a63e83679587410c1c0801efa046545
             7e7b798b8ce035c1fb55993ece41c5efb6cad5922708866804fa50ada0cf9fa5
             912b5c41a6ca0b5be948a4eff0475e596cdc685bfd3da2aa914b5f762aaf272c)
 validpgpkeys=(

Modified: gitea.service
===================================================================
--- gitea.service	2021-07-25 02:10:36 UTC (rev 984934)
+++ gitea.service	2021-07-25 02:38:09 UTC (rev 984935)
@@ -19,24 +19,27 @@
 ExecStart=/usr/bin/gitea web -c /etc/gitea/app.ini
 Restart=always
 RestartSec=2s
+ReadWritePaths=/etc/gitea/app.ini
+AmbientCapabilities=
 CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
 NoNewPrivileges=True
 #SecureBits=noroot-locked
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/etc/gitea/app.ini
+PrivateDevices=true
 PrivateTmp=true
-PrivateDevices=true
 PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
 ProtectHostname=true
-ProtectClock=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
 ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-LockPersonality=true
-MemoryDenyWriteExecute=true
+ProtectProc=invisible
+ProtectSystem=strict
 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native

More information about the arch-commits mailing list