[PATCH v2 1/2] paccache.service.in: Harden unit

[Daniel M. Capella]

Pushed, thank you!

On 7/9/21 7:01 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote:
> Adds a number of sandboxing and other hardening options to the
> paccache.service file.
>
> Signed-off-by: Frederik “Freso” S. Olesen <freso.dk at gmail.com>
> ---
>   src/paccache.service.in | 27 +++++++++++++++++++++++++++
>   1 file changed, 27 insertions(+)
>
> diff --git a/src/paccache.service.in b/src/paccache.service.in
> index cd28e67..927574f 100644
> --- a/src/paccache.service.in
> +++ b/src/paccache.service.in
> @@ -4,3 +4,30 @@ Description=Remove unused cached package files
>   [Service]
>   Type=oneshot
>   ExecStart=@bindir@/paccache -r
> +# Sandboxing and other hardening
> +ProtectProc=invisible
> +ProcSubset=pid
> +NoNewPrivileges=yes
> +ProtectSystem=full
> +ProtectHome=yes
> +PrivateTmp=yes
> +PrivateDevices=yes
> +PrivateNetwork=yes
> +PrivateIPC=yes
> +PrivateUsers=yes
> +ProtectHostname=yes
> +ProtectClock=yes
> +ProtectKernelTunables=yes
> +ProtectKernelModules=yes
> +ProtectKernelLogs=yes
> +ProtectControlGroups=yes
> +RestrictAddressFamilies=AF_UNIX
> +RestrictNamespaces=yes
> +LockPersonality=yes
> +MemoryDenyWriteExecute=yes
> +RestrictRealtime=yes
> +RestrictSUIDSGID=yes
> +RemoveIPC=yes
> +PrivateMounts=yes
> +SystemCallFilter=@file-system
> +SystemCallArchitectures=native

-- 
Best,
Daniel <https://danielcapella.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xEA4F7B321A906AD9.asc
Type: application/pgp-keys
Size: 15463 bytes
Desc: OpenPGP public key
URL: <https://lists.archlinux.org/pipermail/pacman-contrib/attachments/20210727/7100c0b2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-contrib/attachments/20210727/7100c0b2/attachment.sig>