Date: Sunday, July 25, 2021 @ 04:00:28 Author: archange Revision: 984941
Harden systemd service a bit more Modified: mattermost/trunk/PKGBUILD mattermost/trunk/mattermost.service --------------------+ PKGBUILD | 4 ++-- mattermost.service | 27 +++++++++++++++------------ 2 files changed, 17 insertions(+), 14 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-07-25 03:17:43 UTC (rev 984940) +++ PKGBUILD 2021-07-25 04:00:28 UTC (rev 984941) @@ -5,7 +5,7 @@ pkgname=mattermost pkgver=5.37.0 -pkgrel=1 +pkgrel=2 pkgdesc="Open source Slack-alternative in Golang and React" arch=(x86_64) url="https://mattermost.com" @@ -23,7 +23,7 @@ ${pkgname}.tmpfiles) sha256sums=('272daceaeb07c657f19c2f8f75244560ac9dfae1d6a0191d921223c6f4477753' 'a15b8ad1e51226650435cb905bc84f6cfd86997f2f41971df5e0594e610034fa' - '8236235749e3f54b494159b80bf677a7c09cf8d87001fa431925a0e423d3f33e' + 'e5ba4a4f9c5f32816b997d5c02f6ddf3ef1e8259ae8dff5ef18865d076b70316' 'f7bd36f6d7874f1345d205c6dcb79af1804362fc977a658db88951a172d1dfa0' '8dfeee28655b91dc75aca2317846284013ac3d5a837d360eba9641e9fbcf3aa2') Modified: mattermost.service =================================================================== --- mattermost.service 2021-07-25 03:17:43 UTC (rev 984940) +++ mattermost.service 2021-07-25 04:00:28 UTC (rev 984941) @@ -13,29 +13,32 @@ LogsDirectory=mattermost ExecStart=/usr/bin/mattermost Restart=on-failure +ReadWritePaths=/etc/webapps/mattermost/config.json CapabilityBoundingSet= +LockPersonality=true +#Not compatible with NodeJS +#MemoryDenyWriteExecute=true NoNewPrivileges=True -#SecureBits=noroot-locked -ProtectSystem=strict -ProtectHome=true -ReadWritePaths=/etc/webapps/mattermost/config.json +PrivateDevices=true PrivateTmp=true -PrivateDevices=true PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true ProtectHostname=true -ProtectClock=true +ProtectKernelLogs=true +ProtectKernelModules=true ProtectKernelTunables=true -ProtectKernelModules=true -ProtectKernelLogs=true -ProtectControlGroups=true +ProtectProc=invisible +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -LockPersonality=true -#Not compatible with NodeJS -#MemoryDenyWriteExecute=true +RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true +#SecureBits=noroot-locked SystemCallArchitectures=native SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM [Install] WantedBy=multi-user.target