upgpkg: hound

* Harden systemd service.
* Move git from optdepends to depends.
This commit is contained in:
George Rawlinson 2021-09-15 00:07:57 +00:00
parent c82f6ac988
commit e881c92cac
Signed by: grawlinson
GPG key ID: E0959FEA8B550539
2 changed files with 32 additions and 4 deletions

View file

@ -7,10 +7,9 @@ pkgdesc="Lightning fast code searching made easy"
arch=('x86_64') arch=('x86_64')
url="https://github.com/hound-search/hound" url="https://github.com/hound-search/hound"
license=('MIT') license=('MIT')
depends=('glibc') depends=('glibc' 'git')
makedepends=('go') # no need for npm as the UI is pre-compiled makedepends=('go') # no need for npm as the UI is pre-compiled
optdepends=( optdepends=(
'git: for git repositories'
'bzr: for bazaar repositories' 'bzr: for bazaar repositories'
'mercurial: for mercurial repositories' 'mercurial: for mercurial repositories'
'svn: for subversion repositories' 'svn: for subversion repositories'
@ -22,11 +21,11 @@ source=(
'tmpfiles.conf' 'tmpfiles.conf'
) )
sha512sums=('5f72d63269f6ed548abe36a9736a72eadaf8e5149f8190648bfe9f64367084252e4f509321622e4f2ceb14baf03872a7db339aab75266c2d5a40577ab1fbd427' sha512sums=('5f72d63269f6ed548abe36a9736a72eadaf8e5149f8190648bfe9f64367084252e4f509321622e4f2ceb14baf03872a7db339aab75266c2d5a40577ab1fbd427'
'eca1ca8c4df3bb25fab83ff7ae15671a37f8a02860f606aee683b25263860a18c32855f118a73e802bc98912d39ece065c820a56c234707fff354bec069c03dd' '341e423b1572dea500e9f914ef9bb9dfba7fc19a1cdba0d92e0ba5cf021150bda4322981920902f1ffcade222f26df808fafd681d29841b4892e43af1bd2ec1f'
'f683d969f29a84251ef00aa8e1d713a3331756530ef50a3ad738baf15956e5e2b83c8f1611a9e8e8a1c3161c17d375fde54fb42c451849b4578c6a7342226121' 'f683d969f29a84251ef00aa8e1d713a3331756530ef50a3ad738baf15956e5e2b83c8f1611a9e8e8a1c3161c17d375fde54fb42c451849b4578c6a7342226121'
'9a26a065237d3edd2f09d399ad1999276304db71398a7737b846a5e70eb0740baab4bdd56dfb225060c3ca995f4c13db9cfec1aebe1825473a6299484bdac5b9') '9a26a065237d3edd2f09d399ad1999276304db71398a7737b846a5e70eb0740baab4bdd56dfb225060c3ca995f4c13db9cfec1aebe1825473a6299484bdac5b9')
b2sums=('eec71fbd4716848901d55db743a81971c2b595330b5a86ed78d0142a9bf42df8c12da196991019d671ad84fa63a746b05bf681f178e166dc0ea10650ee32e4bc' b2sums=('eec71fbd4716848901d55db743a81971c2b595330b5a86ed78d0142a9bf42df8c12da196991019d671ad84fa63a746b05bf681f178e166dc0ea10650ee32e4bc'
'90f529ed44632f0c17c994d9f80dfdfbda8c7de61a4d7756f05d5aa52c582c9fa7e280a3003b28758097d3fa2311697b8f9c14ff17ca0f90600908581f46e085' '09ba5894d734ae51126e515192e307b7ece3c5a6def93f5218b445c146e5081c6094f86449eadb724517c09c5f5b8d309b1bfea15b6c402a6b31b9c7366c3198'
'cc66b8408c35c73911fd01c1c4137401ea223db828085e8750f25f4f41f42c2eda3f3fc5a0b3f64e08495ad4a6367a0ff35b132c924f396bfbe4da47899c6edd' 'cc66b8408c35c73911fd01c1c4137401ea223db828085e8750f25f4f41f42c2eda3f3fc5a0b3f64e08495ad4a6367a0ff35b132c924f396bfbe4da47899c6edd'
'509003822d9bd826b5921d52483c79a5275b1da121e6f88bf66a644681c2a76a7abac5cf8241a094100c164f32e510da04b9f6037cf5e0910c98b062c68742e5') '509003822d9bd826b5921d52483c79a5275b1da121e6f88bf66a644681c2a76a7abac5cf8241a094100c164f32e510da04b9f6037cf5e0910c98b062c68742e5')

View file

@ -12,5 +12,34 @@ ExecStart=/usr/bin/houndd
Restart=always Restart=always
RestartSec=30 RestartSec=30
# Hardening
ReadWritePaths=/var/lib/hound
NoNewPrivileges=true
LimitNOFILE=1048576
UMask=0077
ProtectSystem=full
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target