summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorOleksandr Natalenko2020-04-12 18:36:28 +0200
committerOleksandr Natalenko2020-04-12 18:36:28 +0200
commit62445880808a7048e710d4f0e47fd54e47dcc69d (patch)
treeb29b0d8e83df15b74d66df537b7828bb0a4849d3
parentd40a717fdef60d6e92d788f12e624309a8d89a9d (diff)
downloadaur-62445880808a7048e710d4f0e47fd54e47dcc69d.tar.gz
harden webui service
Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
-rw-r--r--.SRCINFO4
-rw-r--r--PKGBUILD4
-rw-r--r--bandwidthd-webui.service27
3 files changed, 30 insertions, 5 deletions
diff --git a/.SRCINFO b/.SRCINFO
index b1b232aef9a..9869bc0d621 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = bandwidthd
pkgdesc = Daemon for graphing traffic of subnet machines
pkgver = 2.0.2.r1.0307fbba56
- pkgrel = 6
+ pkgrel = 7
epoch = 1
url = https://github.com/neatbasis/bandwidthd
arch = x86_64
@@ -33,7 +33,7 @@ pkgbase = bandwidthd
sha256sums = be5fa230311258f14d4af6a00496443bfbc1a148a77f237bb4a0b663947e090a
sha256sums = fc38a5623e66d82dec2efd28d2729e76e8f3b6056fb2bc2462a1ea1549f68807
sha256sums = 89c13a354ec9f9d913d82d21989bfbc90de6c15eff98697f7043142ae02f0fbf
- sha256sums = ab93801ae0b05129aaf62a49c065fdb62b7ae16d88d8b956164c2f416df5da81
+ sha256sums = 0290183d1e682eff11b88f4cc0ce5ee361db2a97a36300ab46a64c72fde9ae12
sha256sums = cd7b1ffff5dd9490ab69d777e459d79c229d5fef2e71a811df29f6c11e6acde4
sha256sums = 31780d5d9c67158277a0edeeb672c594af97f96678222107db47ab4b2ede43b2
sha256sums = 90e0fec629c87d2465ca311acedf0ca4ccf5d77ddf60a8db1f5095cc8c41a748
diff --git a/PKGBUILD b/PKGBUILD
index f8536843f5d..9fc96245da1 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,7 @@ _repouser=neatbasis
_reponame=bandwidthd
_rev=0307fbba56a39a6e65ebadf488ad87979c64fdef
pkgver=2.0.2.r1.${_rev:0:10}
-pkgrel=6
+pkgrel=7
epoch=1
pkgdesc="Daemon for graphing traffic of subnet machines"
arch=(x86_64)
@@ -34,7 +34,7 @@ sha256sums=('7e8ebf7e2eeb5266af904a8f7188b11d5a13ebb0343022c2a118b86f48a952e4'
'be5fa230311258f14d4af6a00496443bfbc1a148a77f237bb4a0b663947e090a'
'fc38a5623e66d82dec2efd28d2729e76e8f3b6056fb2bc2462a1ea1549f68807'
'89c13a354ec9f9d913d82d21989bfbc90de6c15eff98697f7043142ae02f0fbf'
- 'ab93801ae0b05129aaf62a49c065fdb62b7ae16d88d8b956164c2f416df5da81'
+ '0290183d1e682eff11b88f4cc0ce5ee361db2a97a36300ab46a64c72fde9ae12'
'cd7b1ffff5dd9490ab69d777e459d79c229d5fef2e71a811df29f6c11e6acde4'
'31780d5d9c67158277a0edeeb672c594af97f96678222107db47ab4b2ede43b2'
'90e0fec629c87d2465ca311acedf0ca4ccf5d77ddf60a8db1f5095cc8c41a748'
diff --git a/bandwidthd-webui.service b/bandwidthd-webui.service
index b77740cdd93..919fb42d524 100644
--- a/bandwidthd-webui.service
+++ b/bandwidthd-webui.service
@@ -8,8 +8,33 @@ User=bandwidthd
Group=bandwidthd
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+PrivateDevices=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+StateDirectory=bandwidthd
+RuntimeDirectory=bandwidthd
+ConfigurationDirectory=bandwidthd
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+UMask=066
+ProtectHostname=true
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
ExecStart=/usr/bin/nginx -c /etc/bandwidthd/bandwidthd-webui.conf
-PIDFile=/run/bandwidthd/bandwidthd-webui.pid
+PIDFile=bandwidthd/bandwidthd-webui.pid
[Install]
WantedBy=bandwidthd.service