Date: Sunday, July 25, 2021 @ 03:17:35 Author: archange Revision: 984939
upgpkg: kresus 0.17.4-2 Modified: kresus/trunk/PKGBUILD kresus/trunk/kresus.service ----------------+ PKGBUILD | 4 ++-- kresus.service | 26 +++++++++++++++----------- 2 files changed, 17 insertions(+), 13 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-07-25 02:48:16 UTC (rev 984938) +++ PKGBUILD 2021-07-25 03:17:35 UTC (rev 984939) @@ -2,7 +2,7 @@ pkgname=kresus pkgver=0.17.4 -pkgrel=1 +pkgrel=2 pkgdesc="Self-hosted personal finance manager" arch=(x86_64) url="https://kresus.org" @@ -18,7 +18,7 @@ ${pkgname}.tmpfiles) sha256sums=('bf08050b9f704c5727f2e6a8410f2a2914f589372a2de539c429fd1fec0e7613' '2a1de56c469b9a8e899614e6cb6ff8d6f205b5df8d30141230f1d0bc2bf15f40' - 'cbbfcfc7714fa4c714e956fffa203511c47dde67e06dee9d87f8ff44ac3c708b' + 'f57bac585629200877e03d75631b174cafa7d8fd42ca815db9aecc9e166d200c' 'd9d30f5470c7165e4917487b69d7ab82e463da4e1355056e1035ee501d3f1adc' 'ba8ad7d9eb5d2b47fde5f6a3ab98596e5c679141b78d76d54b44830604b67632') Modified: kresus.service =================================================================== --- kresus.service 2021-07-25 02:48:16 UTC (rev 984938) +++ kresus.service 2021-07-25 03:17:35 UTC (rev 984939) @@ -12,28 +12,32 @@ Environment=NODE_ENV=production ExecStart=/usr/bin/kresus -c /etc/webapps/kresus/config.ini Restart=always +AmbientCapabilities= CapabilityBoundingSet= +LockPersonality=true +#Not compatible with NodeJS +#MemoryDenyWriteExecute=true NoNewPrivileges=true -#SecureBits=noroot-locked -ProtectSystem=strict -ProtectHome=true +PrivateDevices=true PrivateTmp=true -PrivateDevices=true PrivateUsers=true +ProtectClock=true +ProtectControlGroups=yes +ProtectHome=true ProtectHostname=true -ProtectClock=true +ProtectKernelLogs=true +ProtectKernelModules=yes ProtectKernelTunables=true -ProtectKernelModules=yes -ProtectKernelLogs=true -ProtectControlGroups=yes +ProtectProc=invisible +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -LockPersonality=true -#Not compatible with NodeJS -#MemoryDenyWriteExecute=true +RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true +#SecureBits=noroot-locked SystemCallArchitectures=native SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM [Install] WantedBy=multi-user.target