Date: Sunday, July 25, 2021 @ 02:10:28 Author: archange Revision: 984933
Harden systemd service a bit more Modified: cozy-stack/trunk/PKGBUILD cozy-stack/trunk/cozy-stack.service --------------------+ PKGBUILD | 4 ++-- cozy-stack.service | 27 ++++++++++++++++----------- 2 files changed, 18 insertions(+), 13 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-07-25 01:24:14 UTC (rev 984932) +++ PKGBUILD 2021-07-25 02:10:28 UTC (rev 984933) @@ -2,7 +2,7 @@ pkgname=cozy-stack pkgver=1.4.36 -pkgrel=1 +pkgrel=2 epoch=1 pkgdesc="Digital home: brings all your web services in the same private space – Stack component" arch=(x86_64) @@ -22,7 +22,7 @@ ${pkgname}.tmpfiles) sha256sums=('b9d13bc51a9ae9dec9141b8b391900ccd3ab81933ecd4c7d9606c95f3c8729f8' 'a6ae871ec726f81d091918dffae4025b993656551185662242dcc2f7de4516c3' - '6cb30c0a6d45b30827463b26c43fb2e1df9402392e6f23da1622e044ab84b580' + '4ef3e901725167edd970a7f288e60f3729c12ae8a07289b6bb09bc96d6851b42' 'a6bea52350e85163c3141509a52903223fa0f6e7390b1b1f9336c326a8fff984' '04043ed0b2bf1c811417eec3b89a049f5353ad16f032497ff5c9a610eafa879d') Modified: cozy-stack.service =================================================================== --- cozy-stack.service 2021-07-25 01:24:14 UTC (rev 984932) +++ cozy-stack.service 2021-07-25 02:10:28 UTC (rev 984933) @@ -11,27 +11,32 @@ StateDirectory=cozy ExecStart=/usr/bin/cozy-stack serve Restart=always +AmbientCapabilities= CapabilityBoundingSet= +LockPersonality=true +#Not compatible with NodeJS +#MemoryDenyWriteExecute=true NoNewPrivileges=True -#SecureBits=noroot-locked -ProtectSystem=strict -ProtectHome=true +PrivateDevices=true PrivateTmp=true -PrivateDevices=true PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true ProtectHostname=true -ProtectClock=true +ProtectKernelLogs=true +ProtectKernelModules=true ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -ProtectControlGroups=true -LockPersonality=true -#Not compatible with NodeJS -#MemoryDenyWriteExecute=true +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true +#SecureBits=noroot-locked SystemCallArchitectures=native SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM [Install] WantedBy=multi-user.target