| 1 |
commit: 1a34370c22e9d57dbf10f3830528b19c17704d5d |
| 2 |
Author: Craig Andrews <candrews <AT> integralblue <DOT> com> |
| 3 |
AuthorDate: Thu Jun 30 15:55:03 2016 +0000 |
| 4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Nov 26 19:08:24 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a34370c |
| 7 |
|
| 8 |
mail-filter/sqlgrey: systemd .service hardening |
| 9 |
|
| 10 |
Bug: https://bugs.gentoo.org/587596 |
| 11 |
Closes: https://github.com/gentoo/gentoo/pull/1800 |
| 12 |
|
| 13 |
mail-filter/sqlgrey/files/sqlgrey.service | 13 +++++++++++++ |
| 14 |
.../{sqlgrey-1.7.6-r1.ebuild => sqlgrey-1.7.6-r2.ebuild} | 0 |
| 15 |
2 files changed, 13 insertions(+) |
| 16 |
|
| 17 |
diff --git a/mail-filter/sqlgrey/files/sqlgrey.service b/mail-filter/sqlgrey/files/sqlgrey.service |
| 18 |
index f6be356..a317186 100644 |
| 19 |
--- a/mail-filter/sqlgrey/files/sqlgrey.service |
| 20 |
+++ b/mail-filter/sqlgrey/files/sqlgrey.service |
| 21 |
@@ -3,7 +3,20 @@ Description=SQLgrey Postfix Grey-listing Policy service |
| 22 |
After=network.target |
| 23 |
|
| 24 |
[Service] |
| 25 |
+User=sqlgrey |
| 26 |
+Group=sqlgrey |
| 27 |
ExecStart=/usr/sbin/sqlgrey |
| 28 |
+CapabilityBoundingSet= |
| 29 |
+PrivateTmp=yes |
| 30 |
+PrivateDevices=yes |
| 31 |
+ProtectSystem=full |
| 32 |
+ProtectHome=yes |
| 33 |
+NoNewPrivileges=yes |
| 34 |
+MemoryDenyWriteExecute=true |
| 35 |
+ProtectKernelModules=true |
| 36 |
+ProtectKernelTunables=true |
| 37 |
+ProtectControlGroups=true |
| 38 |
+RestrictRealtime=true |
| 39 |
|
| 40 |
[Install] |
| 41 |
WantedBy=multi-user.target |
| 42 |
|
| 43 |
diff --git a/mail-filter/sqlgrey/sqlgrey-1.7.6-r1.ebuild b/mail-filter/sqlgrey/sqlgrey-1.7.6-r2.ebuild |
| 44 |
similarity index 100% |
| 45 |
rename from mail-filter/sqlgrey/sqlgrey-1.7.6-r1.ebuild |
| 46 |
rename to mail-filter/sqlgrey/sqlgrey-1.7.6-r2.ebuild |
Archives