commit: 854bcc4eb92704b189020c527dd9f24f1c8f02f2 Author: James Le Cuirot <chewi <AT> gentoo <DOT> org> AuthorDate: Sun Mar 20 22:54:58 2022 +0000 Commit: James Le Cuirot <chewi <AT> gentoo <DOT> org> CommitDate: Sun Mar 20 22:54:58 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=854bcc4e
games-util/joycond: Patch to lock down the systemd service Thanks to Andrew Udvare. Closes: https://bugs.gentoo.org/833792 Signed-off-by: James Le Cuirot <chewi <AT> gentoo.org> .../joycond/files/joycond-systemd-paranoia.patch | 45 ++++++++++++++++++++++ ...d-systemd.patch => joycond-systemd-paths.patch} | 0 .../joycond/joycond-0.1.0_p20210730-r1.ebuild | 3 +- 3 files changed, 47 insertions(+), 1 deletion(-) diff --git a/games-util/joycond/files/joycond-systemd-paranoia.patch b/games-util/joycond/files/joycond-systemd-paranoia.patch new file mode 100644 index 000000000000..f6803d074f17 --- /dev/null +++ b/games-util/joycond/files/joycond-systemd-paranoia.patch @@ -0,0 +1,45 @@ +From d39ce9de9420560494d92519f4e29a40d685a5b4 Mon Sep 17 00:00:00 2001 +From: Andrew Udvare <[email protected]> +Date: Sun, 12 Dec 2021 22:02:00 -0500 +Subject: [PATCH] systemd service: paranoia mode + +--- + systemd/joycond.service | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/systemd/joycond.service b/systemd/joycond.service +index cc8e408..5a8b045 100644 +--- a/systemd/joycond.service ++++ b/systemd/joycond.service +@@ -4,12 +4,26 @@ After=network.target + + [Service] + ExecStart=/usr/bin/joycond +-WorkingDirectory=/root +-StandardOutput=inherit +-StandardError=inherit + Restart=always +-User=root ++ ++DeviceAllow=char-input ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes ++ProtectClock=yes ++PrivateTmp=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectControlGroups=yes ++ProtectKernelModules=yes ++ProtectProc=noaccess ++ProtectSystem=strict ++RestrictAddressFamilies=AF_NETLINK ++RestrictNetworkInterfaces= ++RestrictRealtime=yes ++RestrictSUIDSGID=yes ++SocketBindDeny=any + + [Install] + WantedBy=multi-user.target +- diff --git a/games-util/joycond/files/joycond-systemd.patch b/games-util/joycond/files/joycond-systemd-paths.patch similarity index 100% rename from games-util/joycond/files/joycond-systemd.patch rename to games-util/joycond/files/joycond-systemd-paths.patch diff --git a/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild b/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild index 85cfd03bba1c..89a5d6774449 100644 --- a/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild +++ b/games-util/joycond/joycond-0.1.0_p20210730-r1.ebuild @@ -32,7 +32,8 @@ CONFIG_CHECK=" S="${WORKDIR}/${PN}-${COMMIT}" PATCHES=( - "${FILESDIR}"/${PN}-systemd.patch + "${FILESDIR}"/${PN}-systemd-paths.patch + "${FILESDIR}"/${PN}-systemd-paranoia.patch ) src_install() {
