Date: Sunday, July 25, 2021 @ 02:38:09 Author: archange Revision: 984935
Harden the systemd service a bit more Modified: gitea/trunk/PKGBUILD gitea/trunk/gitea.service ---------------+ PKGBUILD | 4 ++-- gitea.service | 23 +++++++++++++---------- 2 files changed, 15 insertions(+), 12 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-07-25 02:10:36 UTC (rev 984934) +++ PKGBUILD 2021-07-25 02:38:09 UTC (rev 984935) @@ -4,7 +4,7 @@ pkgname=gitea pkgver=1.14.5 -pkgrel=1 +pkgrel=2 pkgdesc="Painless self-hosted Git service, community managed." arch=(x86_64) url="https://gitea.io" @@ -29,7 +29,7 @@ gitea-arch-defaults.patch) sha256sums=(SKIP 1521fd7edc3830c695698ffe9835709f1408040b5ec989f07410972c894fa8ba - d4e6b0dc3d5b40c3f1254b5a8bc8f62e0b1126e0559b1f024b3ebf0ccda91af8 + 0c4ebf8a458eee277740a5febb8b976a8a63e83679587410c1c0801efa046545 7e7b798b8ce035c1fb55993ece41c5efb6cad5922708866804fa50ada0cf9fa5 912b5c41a6ca0b5be948a4eff0475e596cdc685bfd3da2aa914b5f762aaf272c) validpgpkeys=( Modified: gitea.service =================================================================== --- gitea.service 2021-07-25 02:10:36 UTC (rev 984934) +++ gitea.service 2021-07-25 02:38:09 UTC (rev 984935) @@ -19,24 +19,27 @@ ExecStart=/usr/bin/gitea web -c /etc/gitea/app.ini Restart=always RestartSec=2s +ReadWritePaths=/etc/gitea/app.ini +AmbientCapabilities= CapabilityBoundingSet= +LockPersonality=true +MemoryDenyWriteExecute=true NoNewPrivileges=True #SecureBits=noroot-locked -ProtectSystem=strict -ProtectHome=true -ReadWritePaths=/etc/gitea/app.ini +PrivateDevices=true PrivateTmp=true -PrivateDevices=true PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true ProtectHostname=true -ProtectClock=true +ProtectKernelLogs=true +ProtectKernelModules=true ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -ProtectControlGroups=true -LockPersonality=true -MemoryDenyWriteExecute=true +ProtectProc=invisible +ProtectSystem=strict RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native