[PATCH 1/2] paccache.service.in: Harden unit

Frederik “Freso” S. Olesen freso.dk at gmail.com
Fri Jul 9 08:21:37 UTC 2021 

Adds a number of sandboxing and other hardening options to the
paccache.service file.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk at gmail.com>
---
 src/Makefile.am         |  2 ++
 src/paccache.service.in | 28 ++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/src/Makefile.am b/src/Makefile.am
index eef0590..e5af195 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS)
 conffile  = ${sysconfdir}/pacman.conf
 dbpath    = ${localstatedir}/lib/pacman/
 gpgdir    = ${sysconfdir}/pacman.d/gnupg/
+cachedir  = ${localstatedir}/cache/pacman
 
 bin_SCRIPTS = \
 	$(OURSCRIPTS)
@@ -95,6 +96,7 @@ AM_CFLAGS = \
 
 edit = sed \
 	-e 's|@bindir[@]|$(bindir)|g' \
+	-e 's|@cachedir[@]|$(cachedir)|g' \
 	-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
 	-e 's|@localstatedir[@]|$(localstatedir)|g' \
 	-e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \
diff --git a/src/paccache.service.in b/src/paccache.service.in
index cd28e67..0f71f5f 100644
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -4,3 +4,31 @@ Description=Remove unused cached package files
 [Service]
 Type=oneshot
 ExecStart=@bindir@/paccache -r
+# Sandboxing and other hardening
+ProtectProc=invisible
+ProcSubset=pid
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=@cachedir@/pkg
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateIPC=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=@file-system
+SystemCallArchitectures=native
-- 
2.32.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-contrib/attachments/20210709/e6fea5f1/attachment.sig>

More information about the pacman-contrib mailing list