diff options
| author | George Rawlinson | 2020-11-26 12:29:06 +1300 |
|---|---|---|
| committer | George Rawlinson | 2020-11-26 12:29:06 +1300 |
| commit | 4b2ff9ef2a392633f9daab19c71da047babeb4f9 (patch) | |
| tree | fe8d4769a2fad9a31479f81f00ab808ef41c8d44 | |
| parent | eb87be5e8a5412533564e949706b21dd6735e674 (diff) | |
| download | aur-4b2ff9ef2a392633f9daab19c71da047babeb4f9.tar.gz | |
upgpkg: promscale 0.1.2-3
harden systemd service
| -rw-r--r-- | .SRCINFO | 4 | ||||
| -rw-r--r-- | PKGBUILD | 4 | ||||
| -rw-r--r-- | promscale.service | 31 |
3 files changed, 33 insertions, 6 deletions
@@ -1,7 +1,7 @@ pkgbase = promscale pkgdesc = An open source analytical platform for Prometheus metrics pkgver = 0.1.2 - pkgrel = 2 + pkgrel = 3 url = https://github.com/timescale/promscale arch = x86_64 license = Apache @@ -15,7 +15,7 @@ pkgbase = promscale source = promscale.sysusers.conf source = promscale.conf b2sums = 761e00de8829fae2a6b5f2b9c6b7e1db0f3b4391076af4df2faebb02186707ed25c75ef52020b6e43eebfac414db2ee7c26bcfd535de748697ff56e7639f0408 - b2sums = 2aefdad3110543a53afc43ccdd3dbaf23cf6a2eaf4d3225ac0164c0d6ce0d057254ba67b2809d83112fbac5639c483252302d3325edc2036a417a19687629afd + b2sums = 23a357e2fd252d1f6c1cd8d3cd4174bdd27d0ae5035f5afd08ac377405868ad0cc5d782fb5a73fcfdbd7169361e2c4b639aa096ebfe2d9adf95ffc1e26caa3b1 b2sums = 2fae9c07cd255528a1c87062650956b857caa8a3c656b59e85d740f527433f510a8fe18025e03480d9145673e6dd03867d60ead5a48044353262105a173cbbfd b2sums = 44b673203d0d2fa3af9f7e9bce8c6aefd61f14cde9dff2a261132ab99f2433940f37a9b70c49a234689a4277b7240ec411a38b9708001f49114a960d0770d7ed @@ -2,7 +2,7 @@ pkgname=promscale pkgver=0.1.2 -pkgrel=2 +pkgrel=3 pkgdesc="An open source analytical platform for Prometheus metrics" arch=('x86_64') url="https://github.com/timescale/promscale" @@ -18,7 +18,7 @@ source=("$pkgname-$pkgver.tar.gz::$url/archive/$pkgver.tar.gz" "$pkgname.sysusers.conf" "$pkgname.conf") b2sums=('761e00de8829fae2a6b5f2b9c6b7e1db0f3b4391076af4df2faebb02186707ed25c75ef52020b6e43eebfac414db2ee7c26bcfd535de748697ff56e7639f0408' - '2aefdad3110543a53afc43ccdd3dbaf23cf6a2eaf4d3225ac0164c0d6ce0d057254ba67b2809d83112fbac5639c483252302d3325edc2036a417a19687629afd' + '23a357e2fd252d1f6c1cd8d3cd4174bdd27d0ae5035f5afd08ac377405868ad0cc5d782fb5a73fcfdbd7169361e2c4b639aa096ebfe2d9adf95ffc1e26caa3b1' '2fae9c07cd255528a1c87062650956b857caa8a3c656b59e85d740f527433f510a8fe18025e03480d9145673e6dd03867d60ead5a48044353262105a173cbbfd' '44b673203d0d2fa3af9f7e9bce8c6aefd61f14cde9dff2a261132ab99f2433940f37a9b70c49a234689a4277b7240ec411a38b9708001f49114a960d0770d7ed') diff --git a/promscale.service b/promscale.service index bdafd1e3c828..fe8656db898f 100644 --- a/promscale.service +++ b/promscale.service @@ -8,12 +8,39 @@ After=network-online.target User=promscale Group=promscale Restart=on-failure +RestartSec=5s EnvironmentFile=-/etc/conf.d/promscale ExecStart=/usr/bin/promscale $PROMSCALE_ARGS ExecReload=/bin/kill -HUP $MAINPID + NoNewPrivileges=true -ProtectSystem=true +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +CapabilityBoundingSet= +AmbientCapabilities= +PrivateUsers=true + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native + +LimitNOFILE=1048576 +UMask=0077 [Install] WantedBy=multi-user.target - |