diff options
| author | Deon Spengler | 2022-03-01 22:20:43 +0200 |
|---|---|---|
| committer | Deon Spengler | 2022-03-01 22:20:43 +0200 |
| commit | 27c6da47837db2f00bf17712f98409a012f58928 (patch) | |
| tree | 9e47548dea43466a50e2632247856bb0bfb61f6f | |
| parent | af89470be7692a905d987017c19a505a779ed15c (diff) | |
| download | aur-27c6da47837db2f00bf17712f98409a012f58928.tar.gz | |
Improve security
| -rw-r--r-- | .SRCINFO | 13 | ||||
| -rw-r--r-- | PKGBUILD | 23 | ||||
| -rw-r--r-- | log-path.patch | 11 | ||||
| -rw-r--r-- | mautrix-googlechat-registration | 2 | ||||
| -rw-r--r-- | mautrix-googlechat.service | 24 | ||||
| -rw-r--r-- | mautrix-googlechat.sysusers | 1 | ||||
| -rw-r--r-- | mautrix-googlechat.tmpfiles | 3 |
7 files changed, 69 insertions, 8 deletions
@@ -1,7 +1,7 @@ pkgbase = mautrix-googlechat pkgdesc = A Matrix-Google Chat puppeting bridge. pkgver = 0.3.0 - pkgrel = 2 + pkgrel = 3 url = https://github.com/mautrix/googlechat install = mautrix-googlechat.install arch = any @@ -19,11 +19,18 @@ pkgbase = mautrix-googlechat depends = python-ruamel-yaml depends = python-unpaddedbase64 depends = python-yarl + backup = etc/mautrix-googlechat/config.yaml source = https://github.com/mautrix/googlechat/archive/refs/tags/v0.3.0.tar.gz source = mautrix-googlechat-registration source = mautrix-googlechat.service + source = mautrix-googlechat.sysusers + source = mautrix-googlechat.tmpfiles + source = log-path.patch sha256sums = 82c2b3c5acea8a85b0753ccb9c67576b42680f37312832fee537492a9363814e - sha256sums = f6693ed10a1d76ef94fdb37801514523ea1809cf0ea71e83c44f5832118237f9 - sha256sums = 2117e24762e2e8731069020720afff3c6024f506cb6c68c9dd7361262fbcb0e3 + sha256sums = a24774abbdf132a18b89709734a58cf14c674176121cb6e9a5f28d39a73c8bc2 + sha256sums = 0bbaf8d7cec830e86bf65e7d1f01822f3ab3e057fa805c9f17ee91f99f8a11cf + sha256sums = 6653023ceb1bfcfed001f0c722ef82c2584d1a84100d7d38a1641d47b23e544a + sha256sums = a3c993e32ad5710ba2d0d24c9355a3d4fcd58fa01fe396ee9b0a9870f3592f99 + sha256sums = dd838686f7dac3130b83e8b8ffbb54c36097470018466102bc0c609385d9b472 pkgname = mautrix-googlechat @@ -2,7 +2,7 @@ pkgname=mautrix-googlechat pkgver=0.3.0 -pkgrel=2 +pkgrel=3 pkgdesc="A Matrix-Google Chat puppeting bridge." url="https://github.com/mautrix/googlechat" depends=(python @@ -23,10 +23,22 @@ arch=(any) install="${pkgname}.install" source=("https://github.com/mautrix/googlechat/archive/refs/tags/v${pkgver}.tar.gz" "mautrix-googlechat-registration" - "mautrix-googlechat.service") + "mautrix-googlechat.service" + "mautrix-googlechat.sysusers" + "mautrix-googlechat.tmpfiles" + "log-path.patch") +backup=("etc/${pkgname}/config.yaml") sha256sums=('82c2b3c5acea8a85b0753ccb9c67576b42680f37312832fee537492a9363814e' - 'f6693ed10a1d76ef94fdb37801514523ea1809cf0ea71e83c44f5832118237f9' - '2117e24762e2e8731069020720afff3c6024f506cb6c68c9dd7361262fbcb0e3') + 'a24774abbdf132a18b89709734a58cf14c674176121cb6e9a5f28d39a73c8bc2' + '0bbaf8d7cec830e86bf65e7d1f01822f3ab3e057fa805c9f17ee91f99f8a11cf' + '6653023ceb1bfcfed001f0c722ef82c2584d1a84100d7d38a1641d47b23e544a' + 'a3c993e32ad5710ba2d0d24c9355a3d4fcd58fa01fe396ee9b0a9870f3592f99' + 'dd838686f7dac3130b83e8b8ffbb54c36097470018466102bc0c609385d9b472') + +prepare() { + cd googlechat-${pkgver} + patch -p1 -i "${srcdir}/log-path.patch" +} build() { cd googlechat-${pkgver} @@ -41,4 +53,7 @@ package() { rm ${pkgdir}/usr/example-config.yaml install -Dm755 ${srcdir}/mautrix-googlechat-registration ${pkgdir}/usr/bin/mautrix-googlechat-registration install -Dm644 ${srcdir}/mautrix-googlechat.service ${pkgdir}/usr/lib/systemd/system/mautrix-googlechat.service + + install -Dm644 "$srcdir/mautrix-googlechat.sysusers" "$pkgdir/usr/lib/sysusers.d/mautrix-googlechat.conf" + install -Dm644 "$srcdir/mautrix-googlechat.tmpfiles" "$pkgdir/usr/lib/tmpfiles.d/mautrix-googlechat.conf" } diff --git a/log-path.patch b/log-path.patch new file mode 100644 index 000000000000..b8e49f8ae822 --- /dev/null +++ b/log-path.patch @@ -0,0 +1,11 @@ +--- a/mautrix_googlechat/example-config.yaml 2021-12-18 23:35:28.000000000 +0200 ++++ b/mautrix_googlechat/example-config.yaml 2022-03-01 22:04:05.359642474 +0200 +@@ -220,7 +220,7 @@ + file: + class: logging.handlers.RotatingFileHandler + formatter: normal +- filename: ./mautrix-googlechat.log ++ filename: /var/log/mautrix-googlechat/googlechat.log + maxBytes: 10485760 + backupCount: 10 + console: diff --git a/mautrix-googlechat-registration b/mautrix-googlechat-registration index 33200546f6ff..13fd4f73edf8 100644 --- a/mautrix-googlechat-registration +++ b/mautrix-googlechat-registration @@ -6,3 +6,5 @@ if [[ $EUID -ne 0 ]]; then fi python -m mautrix_googlechat -c /etc/mautrix-googlechat/config.yaml -r /etc/mautrix-googlechat/registration.yaml -g +chown root:mautrix-googlechat /etc/mautrix-googlechat/config.yaml /etc/mautrix-googlechat/registration.yaml +chmod 640 /etc/mautrix-googlechat/config.yaml /etc/mautrix-googlechat/registration.yaml diff --git a/mautrix-googlechat.service b/mautrix-googlechat.service index 658839e3b554..3881808b8290 100644 --- a/mautrix-googlechat.service +++ b/mautrix-googlechat.service @@ -1,8 +1,30 @@ [Unit] Description=Mautrix Google Chat bridge +After=network-online.target [Service] -ExecStart=/usr/bin/python -m mautrix_googlechat -c /etc/mautrix-googlechat/config.yaml +User=mautrix-googlechat +ExecStart=/usr/bin/python -m mautrix_googlechat -n -c /etc/mautrix-googlechat/config.yaml + +NoNewPrivileges=yes +MemoryDenyWriteExecute=true +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=full +ProtectControlGroups=true +RestrictSUIDSGID=true +RestrictRealtime=true +LockPersonality=true +ProtectKernelLogs=true +ProtectKernelTunables=true +ProtectHostname=true +ProtectKernelModules=true +PrivateUsers=true +ProtectClock=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service [Install] WantedBy=multi-user.target diff --git a/mautrix-googlechat.sysusers b/mautrix-googlechat.sysusers new file mode 100644 index 000000000000..8bb2ee18356f --- /dev/null +++ b/mautrix-googlechat.sysusers @@ -0,0 +1 @@ +u mautrix-googlechat - "Mautrix GoogleChat user" /dev/null diff --git a/mautrix-googlechat.tmpfiles b/mautrix-googlechat.tmpfiles new file mode 100644 index 000000000000..dfb57d794958 --- /dev/null +++ b/mautrix-googlechat.tmpfiles @@ -0,0 +1,3 @@ +# Override this file with a modified version in /etc/tmpfiles.d/ +z /etc/mautrix-googlechat/* 0640 root mautrix-googlechat - +d /var/log/mautrix-googlechat 0750 mautrix-googlechat mautrix-googlechat |