Mercurial > louis > mq > lightsd

changeset 552:384131f70406

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
RestrictAddressFamilies breaks getifaddrs and move those additions to theirr own patches
author Louis Opter <louis@opter.org>
date Sun, 14 May 2017 13:59:19 -0700
parents 791cb4b91701
children b3de1b255605
files lightsd_systemd_drop_in_harden.patch series while42_sf.patch
diffstat 3 files changed, 30 insertions(+), 26 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/lightsd_systemd_drop_in_harden.patch	Sun May 14 13:59:19 2017 -0700
@@ -0,0 +1,29 @@
+# HG changeset patch
+# Parent  5304640171f0d46dfa96778d12917be784ef4c73
+lightsd: harden the systemd service configuration and add a sample drop-in
+
+diff --git a/dist/lightsd.service b/dist/lightsd.service
+--- a/dist/lightsd.service
++++ b/dist/lightsd.service
+@@ -8,6 +8,13 @@
+ Group=lightsd
+ RuntimeDirectory=lightsd
+ Restart=on-failure
++ProtectSystem=full
++ProtectHome=true
++ProtectKernelTunables=yes
++ProtectControlGroups=yes
++ProtectKernelModules=yes
++# Debian Stretch and after:
++# RestrictNamespaces=yes
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/examples/custom-exec-start.conf b/examples/custom-exec-start.conf
+new file mode 100644
+--- /dev/null
++++ b/examples/custom-exec-start.conf
+@@ -0,0 +1,3 @@
++[Service]
++ExecStart=
++ExecStart=/usr/bin/lightsd -t -v warning -s %t/lightsd/socket -c %t/lightsd/pipe -l :::56742
--- a/series	Sun May 14 13:29:30 2017 -0700
+++ b/series	Sun May 14 13:59:19 2017 -0700
@@ -1,5 +1,6 @@
 update_use_latex.cmake
 while42_sf.patch
+lightsd_systemd_drop_in_harden.patch
 add_windows_support.patch
 add_power_transition.patch #+future
 open_gateway_on_any_bulb_response.patch #+future
--- a/while42_sf.patch	Sun May 14 13:29:30 2017 -0700
+++ b/while42_sf.patch	Sun May 14 13:59:19 2017 -0700
@@ -2,32 +2,6 @@
 # Parent  dc2701ba73ff23c2273a684be729236c1ea57854
 slides: add slides for a small talk at while42 sf
 
-diff --git a/dist/lightsd.service b/dist/lightsd.service
---- a/dist/lightsd.service
-+++ b/dist/lightsd.service
-@@ -8,6 +8,14 @@
- Group=lightsd
- RuntimeDirectory=lightsd
- Restart=on-failure
-+ProtectSystem=full
-+ProtectHome=true
-+ProtectKernelTunables=yes
-+ProtectControlGroups=yes
-+ProtectKernelModules=yes
-+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-+# Debian Stretch and after:
-+# RestrictNamespaces=yes
- 
- [Install]
- WantedBy=multi-user.target
-diff --git a/examples/custom-exec-start.conf b/examples/custom-exec-start.conf
-new file mode 100644
---- /dev/null
-+++ b/examples/custom-exec-start.conf
-@@ -0,0 +1,3 @@
-+[Service]
-+ExecStart=
-+ExecStart=/usr/bin/lightsd -t -v warning -s %t/lightsd/socket -c %t/lightsd/pipe -l :::56742
 diff --git a/slides/2017_fosdem b/slides/2017_fosdem
 new file mode 120000
 --- /dev/null