Date: Thursday, July 28, 2022 @ 20:21:31 Author: mtorromeo Revision: 1259022
herdened systemd service Modified: geoipupdate/trunk/PKGBUILD geoipupdate/trunk/geoipupdate.service ---------------------+ PKGBUILD | 4 ++-- geoipupdate.service | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 2 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-07-28 20:13:45 UTC (rev 1259021) +++ PKGBUILD 2022-07-28 20:21:31 UTC (rev 1259022) @@ -2,7 +2,7 @@ pkgname=geoipupdate pkgver=4.9.0 -pkgrel=2 +pkgrel=3 pkgdesc="Update GeoIP2 and GeoIP Legacy binary databases from MaxMind" license=('Apache' 'MIT') arch=('x86_64') @@ -20,7 +20,7 @@ ) sha256sums=('43195d457a372dc07be593d815212d6ea21e499a37a6111058efa3296759cba9' - '94d120a089524b91b2c3095332dee66b346bc97f1496cbff677ff02afa37a6cc' + '46351d1fb0a5f3a6262539376cc6c22685de24d66d07f6f7a1497ed9a7a5385c' 'ba9039ae9cc3dea4fe48480527b515cab2ad3a2f69aea5bf55f551e6895779e3') prepare() { Modified: geoipupdate.service =================================================================== --- geoipupdate.service 2022-07-28 20:13:45 UTC (rev 1259021) +++ geoipupdate.service 2022-07-28 20:21:31 UTC (rev 1259022) @@ -6,3 +6,44 @@ [Service] Type=oneshot ExecStart=/usr/bin/geoipupdate --config-file /etc/GeoIP.conf + +NoNewPrivileges=true +LockPersonality=true +CapabilityBoundingSet= + +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectSystem=strict +ProtectHome=true +ReadWritePaths=/var/lib/GeoIP + +MemoryDenyWriteExecute=true +RemoveIPC=true +RestrictRealtime=true +RestrictNamespaces=true +RestrictSUIDSGID=true + +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 + +ProtectHostname=true +ProtectControlGroups=true +ProtectKernelLogs=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectClock=true +ProtectProc=invisible + +SystemCallArchitectures=native +SystemCallFilter=~@clock +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@resources +SystemCallFilter=~@swap