summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorOleksandr Natalenko2020-04-12 17:19:52 +0200
committerOleksandr Natalenko2020-04-12 17:19:52 +0200
commitd40a717fdef60d6e92d788f12e624309a8d89a9d (patch)
treec6435798af4833f065d7937d8623dc3a94391888
parentc91431479d84d1fd265bb1d2d48eb5a5b6f1bcb8 (diff)
downloadaur-d40a717fdef60d6e92d788f12e624309a8d89a9d.tar.gz
harden main service
Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
-rw-r--r--.SRCINFO6
-rw-r--r--PKGBUILD6
-rw-r--r--bandwidthd.service28
-rw-r--r--bandwidthd.tmpfiles4
4 files changed, 35 insertions, 9 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 9989dd306fb..b1b232aef9a 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = bandwidthd
pkgdesc = Daemon for graphing traffic of subnet machines
pkgver = 2.0.2.r1.0307fbba56
- pkgrel = 5
+ pkgrel = 6
epoch = 1
url = https://github.com/neatbasis/bandwidthd
arch = x86_64
@@ -32,13 +32,13 @@ pkgbase = bandwidthd
sha256sums = 88c38a18b7bda6f3496dda3030ba118f8c461447dea426c13245099ae37a6d86
sha256sums = be5fa230311258f14d4af6a00496443bfbc1a148a77f237bb4a0b663947e090a
sha256sums = fc38a5623e66d82dec2efd28d2729e76e8f3b6056fb2bc2462a1ea1549f68807
- sha256sums = f3a9ade36279f86e897d3842a8cb22a5a56db419b12f1689557b2d03ea765e58
+ sha256sums = 89c13a354ec9f9d913d82d21989bfbc90de6c15eff98697f7043142ae02f0fbf
sha256sums = ab93801ae0b05129aaf62a49c065fdb62b7ae16d88d8b956164c2f416df5da81
sha256sums = cd7b1ffff5dd9490ab69d777e459d79c229d5fef2e71a811df29f6c11e6acde4
sha256sums = 31780d5d9c67158277a0edeeb672c594af97f96678222107db47ab4b2ede43b2
sha256sums = 90e0fec629c87d2465ca311acedf0ca4ccf5d77ddf60a8db1f5095cc8c41a748
sha256sums = d734cea9710691a1658b9996e35cd407e85b542aa0961aec57fc49281516aa5d
- sha256sums = 21886618648cbd5ac499328740e3d1185537d3ad81cfceeaeb3167c468fa4e41
+ sha256sums = 6c9e5bf89ecb580261a5a68ac240bd80ee43a7516c79023864acacbd8cee0ae2
pkgname = bandwidthd
diff --git a/PKGBUILD b/PKGBUILD
index 62fa2ce1240..f8536843f5d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,7 @@ _repouser=neatbasis
_reponame=bandwidthd
_rev=0307fbba56a39a6e65ebadf488ad87979c64fdef
pkgver=2.0.2.r1.${_rev:0:10}
-pkgrel=5
+pkgrel=6
epoch=1
pkgdesc="Daemon for graphing traffic of subnet machines"
arch=(x86_64)
@@ -33,13 +33,13 @@ sha256sums=('7e8ebf7e2eeb5266af904a8f7188b11d5a13ebb0343022c2a118b86f48a952e4'
'88c38a18b7bda6f3496dda3030ba118f8c461447dea426c13245099ae37a6d86'
'be5fa230311258f14d4af6a00496443bfbc1a148a77f237bb4a0b663947e090a'
'fc38a5623e66d82dec2efd28d2729e76e8f3b6056fb2bc2462a1ea1549f68807'
- 'f3a9ade36279f86e897d3842a8cb22a5a56db419b12f1689557b2d03ea765e58'
+ '89c13a354ec9f9d913d82d21989bfbc90de6c15eff98697f7043142ae02f0fbf'
'ab93801ae0b05129aaf62a49c065fdb62b7ae16d88d8b956164c2f416df5da81'
'cd7b1ffff5dd9490ab69d777e459d79c229d5fef2e71a811df29f6c11e6acde4'
'31780d5d9c67158277a0edeeb672c594af97f96678222107db47ab4b2ede43b2'
'90e0fec629c87d2465ca311acedf0ca4ccf5d77ddf60a8db1f5095cc8c41a748'
'd734cea9710691a1658b9996e35cd407e85b542aa0961aec57fc49281516aa5d'
- '21886618648cbd5ac499328740e3d1185537d3ad81cfceeaeb3167c468fa4e41')
+ '6c9e5bf89ecb580261a5a68ac240bd80ee43a7516c79023864acacbd8cee0ae2')
backup=('etc/bandwidthd/bandwidthd.conf'
'etc/bandwidthd/bandwidthd-webui.conf')
diff --git a/bandwidthd.service b/bandwidthd.service
index b9bf7c9734b..24d3d370caa 100644
--- a/bandwidthd.service
+++ b/bandwidthd.service
@@ -7,8 +7,34 @@ User=bandwidthd
Group=bandwidthd
CapabilityBoundingSet=CAP_NET_RAW
AmbientCapabilities=CAP_NET_RAW
+RestrictAddressFamilies=AF_UNIX AF_PACKET
+RestrictNamespaces=true
+PrivateDevices=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+StateDirectory=bandwidthd
+RuntimeDirectory=bandwidthd
+ConfigurationDirectory=bandwidthd
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+UMask=066
+ProtectHostname=true
+IPAddressDeny=any
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
ExecStart=/usr/bin/bandwidthd -D -c /etc/bandwidthd/bandwidthd.conf
-PIDFile=/run/bandwidthd/bandwidthd.pid
+PIDFile=bandwidthd/bandwidthd.pid
[Install]
WantedBy=multi-user.target
diff --git a/bandwidthd.tmpfiles b/bandwidthd.tmpfiles
index 8f846983a5b..e83cc711d12 100644
--- a/bandwidthd.tmpfiles
+++ b/bandwidthd.tmpfiles
@@ -1,4 +1,4 @@
-d /var/lib/bandwidthd 0755 bandwidthd bandwidthd -
+d /var/lib/bandwidthd 0700 bandwidthd bandwidthd -
Z /var/lib/bandwidthd - bandwidthd bandwidthd -
-d /run/bandwidthd 0755 bandwidthd bandwidthd -
+d /run/bandwidthd 0700 bandwidthd bandwidthd -
Z /run/bandwidthd - bandwidthd bandwidthd -