# HG changeset patch # User Louis Opter # Date 1494795559 25200 # Node ID 384131f704068213082f9e337fe952b5f56c9f37 # Parent 791cb4b917015710e66c539fea14309bfc56eb7e RestrictAddressFamilies breaks getifaddrs and move those additions to theirr own patches diff -r 791cb4b91701 -r 384131f70406 lightsd_systemd_drop_in_harden.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/lightsd_systemd_drop_in_harden.patch Sun May 14 13:59:19 2017 -0700 @@ -0,0 +1,29 @@ +# HG changeset patch +# Parent 5304640171f0d46dfa96778d12917be784ef4c73 +lightsd: harden the systemd service configuration and add a sample drop-in + +diff --git a/dist/lightsd.service b/dist/lightsd.service +--- a/dist/lightsd.service ++++ b/dist/lightsd.service +@@ -8,6 +8,13 @@ + Group=lightsd + RuntimeDirectory=lightsd + Restart=on-failure ++ProtectSystem=full ++ProtectHome=true ++ProtectKernelTunables=yes ++ProtectControlGroups=yes ++ProtectKernelModules=yes ++# Debian Stretch and after: ++# RestrictNamespaces=yes + + [Install] + WantedBy=multi-user.target +diff --git a/examples/custom-exec-start.conf b/examples/custom-exec-start.conf +new file mode 100644 +--- /dev/null ++++ b/examples/custom-exec-start.conf +@@ -0,0 +1,3 @@ ++[Service] ++ExecStart= ++ExecStart=/usr/bin/lightsd -t -v warning -s %t/lightsd/socket -c %t/lightsd/pipe -l :::56742 diff -r 791cb4b91701 -r 384131f70406 series --- a/series Sun May 14 13:29:30 2017 -0700 +++ b/series Sun May 14 13:59:19 2017 -0700 @@ -1,5 +1,6 @@ update_use_latex.cmake while42_sf.patch +lightsd_systemd_drop_in_harden.patch add_windows_support.patch add_power_transition.patch #+future open_gateway_on_any_bulb_response.patch #+future diff -r 791cb4b91701 -r 384131f70406 while42_sf.patch --- a/while42_sf.patch Sun May 14 13:29:30 2017 -0700 +++ b/while42_sf.patch Sun May 14 13:59:19 2017 -0700 @@ -2,32 +2,6 @@ # Parent dc2701ba73ff23c2273a684be729236c1ea57854 slides: add slides for a small talk at while42 sf -diff --git a/dist/lightsd.service b/dist/lightsd.service ---- a/dist/lightsd.service -+++ b/dist/lightsd.service -@@ -8,6 +8,14 @@ - Group=lightsd - RuntimeDirectory=lightsd - Restart=on-failure -+ProtectSystem=full -+ProtectHome=true -+ProtectKernelTunables=yes -+ProtectControlGroups=yes -+ProtectKernelModules=yes -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+# Debian Stretch and after: -+# RestrictNamespaces=yes - - [Install] - WantedBy=multi-user.target -diff --git a/examples/custom-exec-start.conf b/examples/custom-exec-start.conf -new file mode 100644 ---- /dev/null -+++ b/examples/custom-exec-start.conf -@@ -0,0 +1,3 @@ -+[Service] -+ExecStart= -+ExecStart=/usr/bin/lightsd -t -v warning -s %t/lightsd/socket -c %t/lightsd/pipe -l :::56742 diff --git a/slides/2017_fosdem b/slides/2017_fosdem new file mode 120000 --- /dev/null