upgpkg: hound

* Harden systemd service. * Move git from optdepends to depends.
2021-09-15 00:07:57 +00:00 · 2021-09-15 00:07:57 +00:00 · e881c92cac
parent c82f6ac988
commit e881c92cac
2 changed files with 32 additions and 4 deletions
--- a/hound/PKGBUILD
+++ b/hound/PKGBUILD
@ -7,10 +7,9 @@ pkgdesc="Lightning fast code searching made easy"
 arch=('x86_64')
 url="https://github.com/hound-search/hound"
 license=('MIT')
-depends=('glibc')
+depends=('glibc' 'git')
 makedepends=('go') # no need for npm as the UI is pre-compiled
 optdepends=(
-  'git: for git repositories'
  'bzr: for bazaar repositories'
  'mercurial: for mercurial repositories'
  'svn: for subversion repositories'
@ -22,11 +21,11 @@ source=(
  'tmpfiles.conf'
 )
 sha512sums=('5f72d63269f6ed548abe36a9736a72eadaf8e5149f8190648bfe9f64367084252e4f509321622e4f2ceb14baf03872a7db339aab75266c2d5a40577ab1fbd427'
-            'eca1ca8c4df3bb25fab83ff7ae15671a37f8a02860f606aee683b25263860a18c32855f118a73e802bc98912d39ece065c820a56c234707fff354bec069c03dd'
+            '341e423b1572dea500e9f914ef9bb9dfba7fc19a1cdba0d92e0ba5cf021150bda4322981920902f1ffcade222f26df808fafd681d29841b4892e43af1bd2ec1f'
            'f683d969f29a84251ef00aa8e1d713a3331756530ef50a3ad738baf15956e5e2b83c8f1611a9e8e8a1c3161c17d375fde54fb42c451849b4578c6a7342226121'
            '9a26a065237d3edd2f09d399ad1999276304db71398a7737b846a5e70eb0740baab4bdd56dfb225060c3ca995f4c13db9cfec1aebe1825473a6299484bdac5b9')
 b2sums=('eec71fbd4716848901d55db743a81971c2b595330b5a86ed78d0142a9bf42df8c12da196991019d671ad84fa63a746b05bf681f178e166dc0ea10650ee32e4bc'
-        '90f529ed44632f0c17c994d9f80dfdfbda8c7de61a4d7756f05d5aa52c582c9fa7e280a3003b28758097d3fa2311697b8f9c14ff17ca0f90600908581f46e085'
+        '09ba5894d734ae51126e515192e307b7ece3c5a6def93f5218b445c146e5081c6094f86449eadb724517c09c5f5b8d309b1bfea15b6c402a6b31b9c7366c3198'
        'cc66b8408c35c73911fd01c1c4137401ea223db828085e8750f25f4f41f42c2eda3f3fc5a0b3f64e08495ad4a6367a0ff35b132c924f396bfbe4da47899c6edd'
        '509003822d9bd826b5921d52483c79a5275b1da121e6f88bf66a644681c2a76a7abac5cf8241a094100c164f32e510da04b9f6037cf5e0910c98b062c68742e5')

--- a/hound/systemd.service
+++ b/hound/systemd.service
@ -12,5 +12,34 @@ ExecStart=/usr/bin/houndd
 Restart=always
 RestartSec=30

+# Hardening
+ReadWritePaths=/var/lib/hound
+NoNewPrivileges=true
+LimitNOFILE=1048576
+UMask=0077
+ProtectSystem=full
+ProtectHome=true
+PrivateUsers=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+CapabilityBoundingSet=
+AmbientCapabilities=
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target