diff options
author | 0b100100 | 2021-12-24 18:41:10 +0100 |
---|---|---|
committer | 0b100100 | 2021-12-24 18:43:38 +0100 |
commit | ab67f860e452553a4435960edbc5e05b1be4d8bb (patch) | |
tree | effa39429141d5c5cb4890e9d98b7340be2f1a30 | |
parent | 795a7c2155e4de3f5678f3f74eb11dca6be2cde5 (diff) | |
download | aur-ab67f860e452553a4435960edbc5e05b1be4d8bb.tar.gz |
Run service as a separate user and add some patches
Create needed paths in service file
Add security and hardening measures in service file
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | 0001-cflag_werror_format-security.patch (renamed from cflag_werror_format-security.patch) | 0 | ||||
-rw-r--r-- | 0002-service_execstart_paths_security_and_sandboxing.patch | 39 | ||||
-rw-r--r-- | PKGBUILD | 19 | ||||
-rw-r--r-- | rippled.service | 13 | ||||
-rw-r--r-- | rippled.sysusers | 1 |
6 files changed, 58 insertions, 24 deletions
@@ -1,7 +1,7 @@ pkgbase = rippled pkgdesc = Ripple peer-to-peer network daemon pkgver = 1.8.2 - pkgrel = 1 + pkgrel = 2 url = https://github.com/ripple/rippled install = rippled.install arch = x86_64 @@ -19,12 +19,14 @@ pkgbase = rippled backup = etc/rippled/rippled.cfg backup = etc/rippled/validators.txt source = rippled-1.8.2.tar.gz::https://github.com/ripple/rippled/archive/1.8.2.tar.gz - source = rippled.service source = rippled.install - source = cflag_werror_format-security.patch + source = rippled.sysusers + source = 0001-cflag_werror_format-security.patch + source = 0002-service_execstart_paths_security_and_sandboxing.patch sha512sums = a18f5eb9930586b49e6cbdae5edebf8f268b9c114b068543734a90282c5e5367c26d1bc6e2a31a6c42e294a763b5e9fa79792c580d049195b755b1af719496f2 - sha512sums = 4bd5964aac94df0f5cc9a6f177df07cacb71b1df5908ea6dc7c351103ca027688021f4ece184a7b7c5166bac1b4cc0e99cfd79e7a44ebf674618ad7a2f6b5a5a sha512sums = 0c50bbd6b790163ca77ab6b8f5a078049dafe69f3818f05c8de3db626227c20cb55fbeaf38ca7594ce3a4f82156319ab69ccf24ca2615a278459f10a3ad7a04c + sha512sums = bf651f870dc788a53960b950f1d069a2775fb806399c11b4e96499c26e325c844120bf7a1698a9482621b5634d2c7202b5917c582fd8a53002b2c9fe4caf6bae sha512sums = 826c1233d10339176267cbd6ef394e3b4647630a074f2c4cdade7ee683319e01ea45209037cbce7acef7e97885adce7250f23d65174baca65f40a4aa2ef6b0fb + sha512sums = fc841883eb6fb74a8ebbff8bccfd042022db533f4b44595e43680b048a7cead6532704538f2d22c6d04349d2472692bf3b5fc091dd454fa3d3cf37c88acb2c7e pkgname = rippled diff --git a/cflag_werror_format-security.patch b/0001-cflag_werror_format-security.patch index fb8c42afadd9..fb8c42afadd9 100644 --- a/cflag_werror_format-security.patch +++ b/0001-cflag_werror_format-security.patch diff --git a/0002-service_execstart_paths_security_and_sandboxing.patch b/0002-service_execstart_paths_security_and_sandboxing.patch new file mode 100644 index 000000000000..d0d4b23ddc2d --- /dev/null +++ b/0002-service_execstart_paths_security_and_sandboxing.patch @@ -0,0 +1,39 @@ +diff --git a/Builds/containers/shared/rippled.service b/Builds/containers/shared/rippled.service +index 24d9dd975..27233704e 100644 +--- a/Builds/containers/shared/rippled.service ++++ b/Builds/containers/shared/rippled.service +@@ -5,11 +5,33 @@ Wants=network-online.target + + [Service] + Type=simple +-ExecStart=/opt/ripple/bin/rippled --net --silent --conf /etc/opt/ripple/rippled.cfg ++ExecStart=/usr/bin/rippled --net --silent --conf /etc/rippled/rippled.cfg + Restart=on-failure + User=rippled + Group=rippled + LimitNOFILE=65536 + ++# Paths ++StateDirectory=rippled ++LogsDirectory=rippled ++ConfigurationDirectory=rippled ++ ++# Security ++NoNewPrivileges=true ++ ++# Sandboxing ++ProtectSystem=strict ++ProtectHome=true ++PrivateTmp=true ++PrivateDevices=true ++PrivateUsers=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++MemoryDenyWriteExecute=true ++RestrictSUIDSGID=true ++ + [Install] + WantedBy=multi-user.target @@ -3,7 +3,7 @@ # Contributor: Roberto Catini <roberto.catini@gmail.com> pkgname=rippled -pkgrel=1 +pkgrel=2 pkgver=1.8.2 pkgdesc="Ripple peer-to-peer network daemon" arch=('x86_64') @@ -14,16 +14,20 @@ depends=('protobuf' 'boost-libs' 'libarchive' 'libsecp256k1' 'rocksdb') makedepends=('git' 'cmake' 'boost' 'clang' 'doxygen') install=$pkgname.install source=("$pkgname-$pkgver.tar.gz::$url/archive/$pkgver.tar.gz" - "$pkgname.service" "$pkgname.install" - "cflag_werror_format-security.patch") + "$pkgname.sysusers" + "0001-cflag_werror_format-security.patch" + "0002-service_execstart_paths_security_and_sandboxing.patch") sha512sums=('a18f5eb9930586b49e6cbdae5edebf8f268b9c114b068543734a90282c5e5367c26d1bc6e2a31a6c42e294a763b5e9fa79792c580d049195b755b1af719496f2' - '4bd5964aac94df0f5cc9a6f177df07cacb71b1df5908ea6dc7c351103ca027688021f4ece184a7b7c5166bac1b4cc0e99cfd79e7a44ebf674618ad7a2f6b5a5a' '0c50bbd6b790163ca77ab6b8f5a078049dafe69f3818f05c8de3db626227c20cb55fbeaf38ca7594ce3a4f82156319ab69ccf24ca2615a278459f10a3ad7a04c' - '826c1233d10339176267cbd6ef394e3b4647630a074f2c4cdade7ee683319e01ea45209037cbce7acef7e97885adce7250f23d65174baca65f40a4aa2ef6b0fb') + 'bf651f870dc788a53960b950f1d069a2775fb806399c11b4e96499c26e325c844120bf7a1698a9482621b5634d2c7202b5917c582fd8a53002b2c9fe4caf6bae' + '826c1233d10339176267cbd6ef394e3b4647630a074f2c4cdade7ee683319e01ea45209037cbce7acef7e97885adce7250f23d65174baca65f40a4aa2ef6b0fb' + 'fc841883eb6fb74a8ebbff8bccfd042022db533f4b44595e43680b048a7cead6532704538f2d22c6d04349d2472692bf3b5fc091dd454fa3d3cf37c88acb2c7e') prepare() { - patch -d "$pkgname-$pkgver" -p1 -i "$srcdir/cflag_werror_format-security.patch" + cd "$pkgname-$pkgver" + patch -p1 -i "$srcdir/0001-cflag_werror_format-security.patch" + patch -p1 -i "$srcdir/0002-service_execstart_paths_security_and_sandboxing.patch" } build() { @@ -41,11 +45,12 @@ check() { package() { install -D build/rippled "$pkgdir/usr/bin/rippled" - install -D -m644 $pkgname.service "$pkgdir/usr/lib/systemd/system/$pkgname.service" + install -D -m644 $pkgname.sysusers "$pkgdir/usr/lib/sysusers.d/$pkgname.conf" cd "$pkgname-$pkgver" install -D -m644 LICENSE.md "$pkgdir/usr/share/licenses/$pkgname/LICENSE" install -D -m644 cfg/rippled-example.cfg "$pkgdir/etc/$pkgname/rippled.cfg" install -D -m644 cfg/validators-example.txt "$pkgdir/etc/$pkgname/validators.txt" + install -D -m644 Builds/containers/shared/rippled.service "$pkgdir/usr/lib/systemd/system/rippled.service" } # vim:set ts=2 sw=2 et: diff --git a/rippled.service b/rippled.service deleted file mode 100644 index ef15cd460785..000000000000 --- a/rippled.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Ripple Daemon -After=network-online.target -Wants=network-online.target - -[Service] -Type=simple -ExecStart=/usr/bin/rippled --net --silent --conf /etc/rippled/rippled.cfg -Restart=on-failure -LimitNOFILE=65536 - -[Install] -WantedBy=multi-user.target diff --git a/rippled.sysusers b/rippled.sysusers new file mode 100644 index 000000000000..c334ed189bc8 --- /dev/null +++ b/rippled.sysusers @@ -0,0 +1 @@ +u rippled - - /var/lib/rippled |