commit: 5818e1f7fde117921cbb487e9044bb15f337079c Author: Craig Andrews <candrews <AT> integralblue <DOT> com> AuthorDate: Wed Jun 29 20:58:13 2016 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Mon Aug 8 23:04:32 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5818e1f7
mail-filter/amavisd-new-2.11.0-r2: additional systemd hardening Gentoo-bug: 587540 Closes: https://github.com/gentoo/gentoo/pull/1797 ...amavisd-new-2.11.0-r1.ebuild => amavisd-new-2.11.0-r2.ebuild} | 0 mail-filter/amavisd-new/files/amavisd.service | 9 +++++++++ 2 files changed, 9 insertions(+) diff --git a/mail-filter/amavisd-new/amavisd-new-2.11.0-r1.ebuild b/mail-filter/amavisd-new/amavisd-new-2.11.0-r2.ebuild similarity index 100% rename from mail-filter/amavisd-new/amavisd-new-2.11.0-r1.ebuild rename to mail-filter/amavisd-new/amavisd-new-2.11.0-r2.ebuild diff --git a/mail-filter/amavisd-new/files/amavisd.service b/mail-filter/amavisd-new/files/amavisd.service index 2a56e44..c53c38a 100644 --- a/mail-filter/amavisd-new/files/amavisd.service +++ b/mail-filter/amavisd-new/files/amavisd.service @@ -6,8 +6,17 @@ Wants=clamd.service After=network.target [Service] +User=amavis +Group=amavis ExecStart=/usr/sbin/amavisd -c /etc/amavisd.conf foreground ExecReload=/usr/sbin/amavisd -c /etc/amavisd.conf reload +PrivateTmp=true +CapabilityBoundingSet= +ProtectSystem=full +NoNewPrivileges=true +PrivateDevices=true +ProtectHome=true +MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target
