diff options
author | Martin/Geno | 2019-10-26 17:02:09 +0200 |
---|---|---|
committer | Martin/Geno | 2019-10-26 17:02:09 +0200 |
commit | 20e7fe629b82bbcf55d14c2c1e04e923a4750ef4 (patch) | |
tree | 9bb136367aa619db2e1af802660cac27b6353c92 | |
parent | 25aa0c45ff0e4f72372fe29f3fde64aa932fc0d2 (diff) | |
download | aur-20e7fe629b82bbcf55d14c2c1e04e923a4750ef4.tar.gz |
add systemd files
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 8 | ||||
-rw-r--r-- | jool.service | 38 | ||||
-rw-r--r-- | jool_siit.service | 38 |
4 files changed, 84 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = jool-dkms-git pkgdesc = Open Source SIIT and NAT64 for Linux. - pkgver = 4.0.6.r1.g90033801 - pkgrel = 1 + pkgver = 4.0.6.r2.g90033801 + pkgrel = 2 url = https://www.jool.mx arch = i686 arch = x86_64 @@ -2,8 +2,8 @@ _pkgbase=jool pkgname=${_pkgbase}-dkms-git -pkgver=4.0.6.r1.g90033801 -pkgrel=1 +pkgver=4.0.6.r2.g90033801 +pkgrel=2 pkgdesc="Open Source SIIT and NAT64 for Linux." arch=('i686' 'x86_64') url="https://www.jool.mx" @@ -37,4 +37,8 @@ package() { cd .. mkdir -p "${pkgdir}"/usr/src/${_pkgbase}-${ver}/ cp -r Jool-clean/* "${pkgdir}"/usr/src/${_pkgbase}-${ver}/ + + # Install service files + install -Dm644 ../jool.service "${pkgdir}"/usr/lib/systemd/system/jool.service + install -Dm644 ../jool_siit.service "${pkgdir}"/usr/lib/systemd/system/jool_siit.service } diff --git a/jool.service b/jool.service new file mode 100644 index 000000000000..5f10bbc26a1c --- /dev/null +++ b/jool.service @@ -0,0 +1,38 @@ +[Unit] +Description=Stateful NAT64 +Documentation=https://jool.mx/en/documentation.html +After=network.target +ConditionPathExists=/etc/jool/jool.conf + +[Service] +Type=oneshot +RemainAfterExit=yes + +ExecStartPre=/sbin/modprobe jool +ExecStart=/usr/bin/jool file handle /etc/jool/jool.conf +ExecStop=/usr/bin/jool -f /etc/jool/jool.conf instance remove +# Do not modprobe -r; some other instance could be running. + +# -- Security Section -- +# Long story short: All the jool clients need is read access on the config +# files, and the Netlink socket to kernelspace. +# The ExecStartPre above also needs to be able to modify kernel modules. +# Everything else should probably be blocked. + +CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +InaccessiblePaths=/tmp /dev +ProtectKernelTunables=yes +ProtectKernelModules=no +ProtectControlGroups=yes +RestrictAddressFamilies=AF_NETLINK +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/jool_siit.service b/jool_siit.service new file mode 100644 index 000000000000..a2cfecc787e7 --- /dev/null +++ b/jool_siit.service @@ -0,0 +1,38 @@ +[Unit] +Description=Stateless IP/ICMP Translator +Documentation=https://jool.mx/en/documentation.html +After=network.target +ConditionPathExists=/etc/jool/jool_siit.conf + +[Service] +Type=oneshot +RemainAfterExit=yes + +ExecStartPre=/sbin/modprobe jool_siit +ExecStart=/usr/bin/jool_siit file handle /etc/jool/jool_siit.conf --force +ExecStop=/usr/bin/jool_siit -f /etc/jool/jool_siit.conf instance remove +# Do not modprobe -r; some other instance could be running. + +# -- Security Section -- +# Long story short: All the jool clients need is read access on the config +# files, and the Netlink socket to kernelspace. +# The ExecStartPre above also needs to be able to modify kernel modules. +# Everything else should probably be blocked. + +CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +InaccessiblePaths=/tmp /dev +ProtectKernelTunables=yes +ProtectKernelModules=no +ProtectControlGroups=yes +RestrictAddressFamilies=AF_NETLINK +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |