upgpkg: vlmcsd 1113-1

Improve systemd units

4 files changed, 59 insertions, 17 deletions

diff --git a/.SRCINFO b/.SRCINFO
index d1220f990c03..0d3547392494 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -17,8 +17,8 @@ pkgbase = vlmcsd
 	source = vlmcsd@.service
 	source = vlmcsd.socket
 	sha256sums = 62f55c48f5de1249c2348ab6b96dabbe7e38899230954b0c8774efb01d9c42cc
-	sha256sums = 83e7e75f5874c17bfa40f08eea134ba636d7ac9864eea2c4ad1ae8159ec9af74
-	sha256sums = 5e1f1c556f16e61fcdaa197f9ada9d3d2a8d91d4b14b36e85181b323b3475623
+	sha256sums = 49c551ea447764f6ef9a05ef185c0bf850ad719571eff0ae770217de367f2019
+	sha256sums = 42318db688fc1ba97c87c4f96683ee663cc7d3d68c1ffcfe6c65403a9294ae90
 	sha256sums = 62fc0e5b50102fa7f1ce8e8d2c8cd1cb282dec9169179aa3ee083ca3d60772f3
 
 pkgname = vlmcsd
diff --git a/PKGBUILD b/PKGBUILD
index 62c5e7d509eb..e332688f8f45 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -15,8 +15,8 @@ source=("https://github.com/Wind4/${pkgname}/archive/svn${pkgver}/svn${pkgver}.t
         "${pkgname}@.service"
         "${pkgname}.socket")
 sha256sums=('62f55c48f5de1249c2348ab6b96dabbe7e38899230954b0c8774efb01d9c42cc'
-            '83e7e75f5874c17bfa40f08eea134ba636d7ac9864eea2c4ad1ae8159ec9af74'
-            '5e1f1c556f16e61fcdaa197f9ada9d3d2a8d91d4b14b36e85181b323b3475623'
+            '49c551ea447764f6ef9a05ef185c0bf850ad719571eff0ae770217de367f2019'
+            '42318db688fc1ba97c87c4f96683ee663cc7d3d68c1ffcfe6c65403a9294ae90'
             '62fc0e5b50102fa7f1ce8e8d2c8cd1cb282dec9169179aa3ee083ca3d60772f3')
 
 build() {
@@ -27,21 +27,17 @@ build() {
 }
 
 package() {
+  for unit in vlmcsd.service vlmcsd@.service vlmcsd.socket; do
+    install -Dm644 "${srcdir}"/${unit} "${pkgdir}"/usr/lib/systemd/system/${unit}
+  done
+
   cd "${pkgname}-svn${pkgver}"
 
-  pushd bin
   for bin in vlmcs{d,}; do
-    install -Dm755 ${bin} "${pkgdir}"/usr/bin/${bin}
+    install -Dm755 "bin/${bin}" "${pkgdir}"/usr/bin/${bin}
   done
-  popd
 
-  pushd ../
-  for unit in vlmcsd.service vlmcsd@.service vlmcsd.socket; do
-    install -Dm644 "${srcdir}"/${unit} "${pkgdir}"/usr/lib/systemd/system/${unit}
-  done
-  popd
-
-  pushd man
+  cd man
   for manpage in *.[0-9]; do
     section=${manpage##*.}
     install -Dm644 ${manpage}.gz "${pkgdir}"/usr/share/man/man${section}/${manpage}.gz
diff --git a/vlmcsd.service b/vlmcsd.service
index e499d0880938..8549477a95d2 100644
--- a/vlmcsd.service
+++ b/vlmcsd.service
@@ -2,8 +2,30 @@
 Description=KMS Emulator
 
 [Service]
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+NoNewPrivileges=true
+LockPersonality=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+ProtectHome=true
+ProtectSystem=strict
+PrivateDevices=true
+PrivateUsers=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+DevicePolicy=closed
+DynamicUser=true
 Type=forking
-User=nobody
 ExecStart=/usr/bin/vlmcsd
 
 [Install]
diff --git a/vlmcsd@.service b/vlmcsd@.service
index 94e50e58e09e..44727e99a7c1 100644
--- a/vlmcsd@.service
+++ b/vlmcsd@.service
@@ -2,7 +2,31 @@
 Description=KMS Emulator Per-Connection
 
 [Service]
-User=nobody
-ExecStart=/usr/bin/vlmcsd
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+NoNewPrivileges=true
+LockPersonality=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+ProtectHome=true
+ProtectSystem=strict
+PrivateDevices=true
+PrivateUsers=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+DevicePolicy=closed
+PrivateNetwork=true
+IPAddressDeny=any
+DynamicUser=true
 StandardInput=socket
 StandardOutput=socket
+ExecStart=/usr/bin/vlmcsd