[arch-commits] Commit in geoipupdate/trunk (PKGBUILD geoipupdate.service)

Massimiliano Torromeo mtorromeo at gemini.archlinux.org
Thu Jul 28 20:21:31 UTC 2022


    Date: Thursday, July 28, 2022 @ 20:21:31
  Author: mtorromeo
Revision: 1259022

herdened systemd service

Modified:
  geoipupdate/trunk/PKGBUILD
  geoipupdate/trunk/geoipupdate.service

---------------------+
 PKGBUILD            |    4 ++--
 geoipupdate.service |   41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 2 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2022-07-28 20:13:45 UTC (rev 1259021)
+++ PKGBUILD	2022-07-28 20:21:31 UTC (rev 1259022)
@@ -2,7 +2,7 @@
 
 pkgname=geoipupdate
 pkgver=4.9.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Update GeoIP2 and GeoIP Legacy binary databases from MaxMind"
 license=('Apache' 'MIT')
 arch=('x86_64')
@@ -20,7 +20,7 @@
 )
 
 sha256sums=('43195d457a372dc07be593d815212d6ea21e499a37a6111058efa3296759cba9'
-            '94d120a089524b91b2c3095332dee66b346bc97f1496cbff677ff02afa37a6cc'
+            '46351d1fb0a5f3a6262539376cc6c22685de24d66d07f6f7a1497ed9a7a5385c'
             'ba9039ae9cc3dea4fe48480527b515cab2ad3a2f69aea5bf55f551e6895779e3')
 
 prepare() {

Modified: geoipupdate.service
===================================================================
--- geoipupdate.service	2022-07-28 20:13:45 UTC (rev 1259021)
+++ geoipupdate.service	2022-07-28 20:21:31 UTC (rev 1259022)
@@ -6,3 +6,44 @@
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/geoipupdate --config-file /etc/GeoIP.conf
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/GeoIP
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=invisible
+
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap



More information about the arch-commits mailing list