diff options
| author |   James Le Cuirot <chewi@gentoo.org> | 2022-03-20 22:54:58 +0000 |
|---|---|---|
| committer | James Le Cuirot <chewi@gentoo.org> | 2022-03-20 22:54:58 +0000 |
| commit | 854bcc4eb92704b189020c527dd9f24f1c8f02f2 (patch) | |
| tree | 3ea763eea4565f4db97e0229a70c53c06dabc170 /games-util | |
| parent | games-util/joycond: Patch to install systemd files in the right locations (diff) | |
| download | gentoo-854bcc4eb92704b189020c527dd9f24f1c8f02f2.tar.gz gentoo-854bcc4eb92704b189020c527dd9f24f1c8f02f2.tar.bz2 gentoo-854bcc4eb92704b189020c527dd9f24f1c8f02f2.zip | |
games-util/joycond: Patch to lock down the systemd service
Thanks to Andrew Udvare.
Closes: https://bugs.gentoo.org/833792
Signed-off-by: James Le Cuirot <chewi@gentoo.org>
Diffstat (limited to 'games-util')
| -rw-r--r-- | games-util/joycond/files/joycond-systemd-paranoia.patch | 45 | ||||
| -rw-r--r-- | games-util/joycond/files/joycond-systemd-paths.patch (renamed from games-util/joycond/files/joycond-systemd.patch) | 0 | ||||
| -rw-r--r-- | games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild | 3 |
3 files changed, 47 insertions, 1 deletions
diff --git a/games-util/joycond/files/joycond-systemd-paranoia.patch b/games-util/joycond/files/joycond-systemd-paranoia.patch new file mode 100644 index 000000000000..f6803d074f17 --- /dev/null +++ b/games-util/joycond/files/joycond-systemd-paranoia.patch @@ -0,0 +1,45 @@ +From d39ce9de9420560494d92519f4e29a40d685a5b4 Mon Sep 17 00:00:00 2001 +From: Andrew Udvare <audvare@gmail.com> +Date: Sun, 12 Dec 2021 22:02:00 -0500 +Subject: [PATCH] systemd service: paranoia mode + +--- + systemd/joycond.service | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/systemd/joycond.service b/systemd/joycond.service +index cc8e408..5a8b045 100644 +--- a/systemd/joycond.service ++++ b/systemd/joycond.service +@@ -4,12 +4,26 @@ After=network.target + + [Service] + ExecStart=/usr/bin/joycond +-WorkingDirectory=/root +-StandardOutput=inherit +-StandardError=inherit + Restart=always +-User=root ++ ++DeviceAllow=char-input ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes ++ProtectClock=yes ++PrivateTmp=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectControlGroups=yes ++ProtectKernelModules=yes ++ProtectProc=noaccess ++ProtectSystem=strict ++RestrictAddressFamilies=AF_NETLINK ++RestrictNetworkInterfaces= ++RestrictRealtime=yes ++RestrictSUIDSGID=yes ++SocketBindDeny=any + + [Install] + WantedBy=multi-user.target +- diff --git a/games-util/joycond/files/joycond-systemd.patch b/games-util/joycond/files/joycond-systemd-paths.patch index 8b8288350a3e..8b8288350a3e 100644 --- a/games-util/joycond/files/joycond-systemd.patch +++ b/games-util/joycond/files/joycond-systemd-paths.patch diff --git a/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild b/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild index 85cfd03bba1c..89a5d6774449 100644 --- a/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild +++ b/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild @@ -32,7 +32,8 @@ CONFIG_CHECK=" S="${WORKDIR}/${PN}-${COMMIT}" PATCHES=( - "${FILESDIR}"/${PN}-systemd.patch + "${FILESDIR}"/${PN}-systemd-paths.patch + "${FILESDIR}"/${PN}-systemd-paranoia.patch ) src_install() { |