[PATCH 1/2] paccache.service.in: Harden unit
Morgan Adamiec
morganamilo at archlinux.org
Fri Jul 9 08:56:30 UTC 2021
On 09/07/2021 09:21, Frederik “Freso” S. Olesen via pacman-contrib wrote:
> Adds a number of sandboxing and other hardening options to the
> paccache.service file.
>
> Signed-off-by: Frederik “Freso” S. Olesen <freso.dk at gmail.com>
> ---
> src/Makefile.am | 2 ++
> src/paccache.service.in | 28 ++++++++++++++++++++++++++++
> 2 files changed, 30 insertions(+)
>
> diff --git a/src/Makefile.am b/src/Makefile.am
> index eef0590..e5af195 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS)
> conffile = ${sysconfdir}/pacman.conf
> dbpath = ${localstatedir}/lib/pacman/
> gpgdir = ${sysconfdir}/pacman.d/gnupg/
> +cachedir = ${localstatedir}/cache/pacman
>
> bin_SCRIPTS = \
> $(OURSCRIPTS)
> @@ -95,6 +96,7 @@ AM_CFLAGS = \
>
> edit = sed \
> -e 's|@bindir[@]|$(bindir)|g' \
> + -e 's|@cachedir[@]|$(cachedir)|g' \
> -e 's|@sysconfdir[@]|$(sysconfdir)|g' \
> -e 's|@localstatedir[@]|$(localstatedir)|g' \
> -e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \
> diff --git a/src/paccache.service.in b/src/paccache.service.in
> index cd28e67..0f71f5f 100644
> --- a/src/paccache.service.in
> +++ b/src/paccache.service.in
> @@ -4,3 +4,31 @@ Description=Remove unused cached package files
> [Service]
> Type=oneshot
> ExecStart=@bindir@/paccache -r
> +# Sandboxing and other hardening
> +ProtectProc=invisible
> +ProcSubset=pid
> +NoNewPrivileges=yes
> +ProtectSystem=strict
> +ProtectHome=yes
> +ReadWritePaths=@cachedir@/pkg
I and many others have multiple custom cachedirs.
> +PrivateTmp=yes
> +PrivateDevices=yes
> +PrivateNetwork=yes
> +PrivateIPC=yes
> +PrivateUsers=yes
> +ProtectHostname=yes
> +ProtectClock=yes
> +ProtectKernelTunables=yes
> +ProtectKernelModules=yes
> +ProtectKernelLogs=yes
> +ProtectControlGroups=yes
> +RestrictAddressFamilies=AF_UNIX
> +RestrictNamespaces=yes
> +LockPersonality=yes
> +MemoryDenyWriteExecute=yes
> +RestrictRealtime=yes
> +RestrictSUIDSGID=yes
> +RemoveIPC=yes
> +PrivateMounts=yes
> +SystemCallFilter=@file-system
> +SystemCallArchitectures=native
>
More information about the pacman-contrib
mailing list