[arch-commits] Commit in mattermost/trunk (PKGBUILD mattermost.service)

Bruno Pagani archange at gemini.archlinux.org
Sun Jul 25 04:00:29 UTC 2021 

    Date: Sunday, July 25, 2021 @ 04:00:28
  Author: archange
Revision: 984941

Harden systemd service a bit more

Modified:
  mattermost/trunk/PKGBUILD
  mattermost/trunk/mattermost.service

--------------------+
 PKGBUILD           |    4 ++--
 mattermost.service |   27 +++++++++++++++------------
 2 files changed, 17 insertions(+), 14 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-07-25 03:17:43 UTC (rev 984940)
+++ PKGBUILD	2021-07-25 04:00:28 UTC (rev 984941)
@@ -5,7 +5,7 @@
 
 pkgname=mattermost
 pkgver=5.37.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Open source Slack-alternative in Golang and React"
 arch=(x86_64)
 url="https://mattermost.com"
@@ -23,7 +23,7 @@
         ${pkgname}.tmpfiles)
 sha256sums=('272daceaeb07c657f19c2f8f75244560ac9dfae1d6a0191d921223c6f4477753'
             'a15b8ad1e51226650435cb905bc84f6cfd86997f2f41971df5e0594e610034fa'
-            '8236235749e3f54b494159b80bf677a7c09cf8d87001fa431925a0e423d3f33e'
+            'e5ba4a4f9c5f32816b997d5c02f6ddf3ef1e8259ae8dff5ef18865d076b70316'
             'f7bd36f6d7874f1345d205c6dcb79af1804362fc977a658db88951a172d1dfa0'
             '8dfeee28655b91dc75aca2317846284013ac3d5a837d360eba9641e9fbcf3aa2')
 

Modified: mattermost.service
===================================================================
--- mattermost.service	2021-07-25 03:17:43 UTC (rev 984940)
+++ mattermost.service	2021-07-25 04:00:28 UTC (rev 984941)
@@ -13,29 +13,32 @@
 LogsDirectory=mattermost
 ExecStart=/usr/bin/mattermost
 Restart=on-failure
+ReadWritePaths=/etc/webapps/mattermost/config.json
 CapabilityBoundingSet=
+LockPersonality=true
+#Not compatible with NodeJS
+#MemoryDenyWriteExecute=true
 NoNewPrivileges=True
-#SecureBits=noroot-locked
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/etc/webapps/mattermost/config.json
+PrivateDevices=true
 PrivateTmp=true
-PrivateDevices=true
 PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
 ProtectHostname=true
-ProtectClock=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
 ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
+ProtectProc=invisible
+ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-LockPersonality=true
-#Not compatible with NodeJS
-#MemoryDenyWriteExecute=true
+RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
+#SecureBits=noroot-locked
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target

More information about the arch-commits mailing list