v4.5.3-2

- sandboxing systemd service units

6 files changed, 34 insertions, 13 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 908496d1d94c..f853c515d098 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = mosdns-bin
-	pkgdesc = Plug-in configured DNS forwarder/server
+	pkgdesc = 一个 DNS 转发器
 	pkgver = 4.5.3
-	pkgrel = 1
+	pkgrel = 2
 	url = https://github.com/IrineSistiana/mosdns/
 	arch = x86_64
 	license = GPL3
@@ -9,14 +9,16 @@ pkgbase = mosdns-bin
 	optdepends = v2ray-geoip: geoip.dat
 	optdepends = v2ray-rules-dat-git: geosite.dat & geoip.dat
 	provides = mosdns
-	conflicts = mosdns
-	conflicts = mosdns-git
 	backup = etc/mosdns/config.yaml
 	source = mosdns-bin-4.5.3.zip::https://github.com/IrineSistiana/mosdns/releases/download/v4.5.3/mosdns-linux-amd64.zip
-	source = service
 	source = config.yaml
+	source = service
+	source = sysusers
+	source = tmpfiles
 	sha256sums = c970f5a5502256d6ef0e3b9729c325f3fca96f1bc09f0573efce9f3ee1cd67a2
-	sha256sums = b85dd6e5522e558bb1282734bbb684ceee019047d7597bdbde4dc07a8d59317e
 	sha256sums = 5ff706ed3d6e5e8624e6f8b276ed1e476be8ebc4747043e63999c8a9f9324ea8
+	sha256sums = 8bb851c5413e0e25e18e9d912a35b1500b54531ea961d4fc6cc8416173311c17
+	sha256sums = 2f2c9bbec87f610d4365cfa2631488a3517d3c5529e7e9942d778f550030c807
+	sha256sums = 0be8eb1cdf1dd563f829c2ab86a00be4d889d22a29e34c9582caff5c2876a2e1
 
 pkgname = mosdns-bin
diff --git a/.gitignore b/.gitignore
index 2fe5101d0489..3f59f78854aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@
 !PKGBUILD
 !config.yaml
 !service
+!sysusers
+!tmpfiles
\ No newline at end of file
diff --git a/PKGBUILD b/PKGBUILD
index b38c07274656..05be12b92b02 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,8 +2,8 @@
 _pkgname=mosdns
 pkgname=${_pkgname}-bin
 pkgver=4.5.3
-pkgrel=1
-pkgdesc="Plug-in configured DNS forwarder/server"
+pkgrel=2
+pkgdesc="一个 DNS 转发器"
 arch=('x86_64')
 url="https://github.com/IrineSistiana/mosdns/"
 license=('GPL3')
@@ -12,14 +12,25 @@ optdepends=('v2ray-domain-list-community: geosite.dat'
             'v2ray-rules-dat-git: geosite.dat & geoip.dat')
 backup=('etc/mosdns/config.yaml')
 provides=('mosdns')
-conflicts=('mosdns' 'mosdns-git')
-source=("$pkgname-$pkgver.zip::https://github.com/IrineSistiana/mosdns/releases/download/v${pkgver}/mosdns-linux-amd64.zip" "service" "config.yaml")
+
+source=(
+  "$pkgname-$pkgver.zip::https://github.com/IrineSistiana/mosdns/releases/download/v${pkgver}/mosdns-linux-amd64.zip"
+  "config.yaml"
+  "service"
+  "sysusers"
+  "tmpfiles"
+)
+
 sha256sums=('c970f5a5502256d6ef0e3b9729c325f3fca96f1bc09f0573efce9f3ee1cd67a2'
-            'b85dd6e5522e558bb1282734bbb684ceee019047d7597bdbde4dc07a8d59317e'
-            '5ff706ed3d6e5e8624e6f8b276ed1e476be8ebc4747043e63999c8a9f9324ea8')
+            '5ff706ed3d6e5e8624e6f8b276ed1e476be8ebc4747043e63999c8a9f9324ea8'
+            '8bb851c5413e0e25e18e9d912a35b1500b54531ea961d4fc6cc8416173311c17'
+            '2f2c9bbec87f610d4365cfa2631488a3517d3c5529e7e9942d778f550030c807'
+            '0be8eb1cdf1dd563f829c2ab86a00be4d889d22a29e34c9582caff5c2876a2e1')
 
 package() {
   install -Dm755 mosdns "$pkgdir"/usr/bin/mosdns
+  install -Dm644 sysusers "$pkgdir/usr/lib/sysusers.d/mosdns.conf"
+  install -Dm644 tmpfiles "$pkgdir/usr/lib/tmpfiles.d/mosdns.conf"
   install -Dm644 service "$pkgdir"/usr/lib/systemd/system/mosdns.service
   install -Dm644 config.yaml "$pkgdir"/etc/mosdns/config.yaml
 }
diff --git a/service b/service
index f7424b4643fe..fc6122ec084e 100644
--- a/service
+++ b/service
@@ -4,9 +4,13 @@ Documentation=https://irine-sistiana.gitbook.io/mosdns-wiki/
 After=network.target
 
 [Service]
+User=mosdns
+Group=mosdns
 NoNewPrivileges=true
-ExecStart=/usr/bin/mosdns start -c /etc/mosdns/config.yaml -d /etc/mosdns/
+ExecStart=/usr/bin/mosdns start -c /etc/mosdns/config.yaml -d /var/lib/mosdns
 Restart=on-failure
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target
diff --git a/sysusers b/sysusers
new file mode 100644
index 000000000000..baf80dd2a7e7
--- /dev/null
+++ b/sysusers
@@ -0,0 +1 @@
+u mosdns - "Mosdns" /var/lib/mosdns
\ No newline at end of file
diff --git a/tmpfiles b/tmpfiles
new file mode 100644
index 000000000000..2edd6ffe0198
--- /dev/null
+++ b/tmpfiles
@@ -0,0 +1 @@
+d /var/lib/mosdns 0750 mosdns mosdns
\ No newline at end of file