OSDN -- Desarrollar y descargar software de código abierto
Translation Status of Español translation status for es

[tomoyo-users-en 720] [PATCH] Add systemd service for tomoyo-auditd

Back to archive index
Topi Miettinen toiwo****@gmail*****
Mon Feb 24 06:27:02 JST 2020 

Enable many hardening features provided by systemd for tomoyo-auditd.

Signed-off-by: Topi Miettinen <toiwo****@gmail*****>
---
  Include.make                                 |  1 +
  Makefile                                     |  1 +
  usr_lib_systemd_system/Makefile              |  7 ++++
  usr_lib_systemd_system/tomoyo-auditd.service | 39 ++++++++++++++++++++
  4 files changed, 48 insertions(+)
  create mode 100644 usr_lib_systemd_system/Makefile
  create mode 100644 usr_lib_systemd_system/tomoyo-auditd.service

diff --git a/Include.make b/Include.make
index ff08451..df8efa9 100644
--- a/Include.make
+++ b/Include.make
@@ -2,6 +2,7 @@ INSTALL         := install
  SBINDIR         := /sbin
  USRSBINDIR      := /usr/sbin
  USRLIBDIR       := /usr/lib
+SERVICEDIR      := /usr/lib/systemd/system
  MAN8            := /usr/share/man/man8
  ifndef CFLAGS
  CFLAGS          := -Wall -O2
diff --git a/Makefile b/Makefile
index e415823..606cbfc 100644
--- a/Makefile
+++ b/Makefile
@@ -8,6 +8,7 @@ install: all
         $(MAKE) -C usr_sbin install
         $(MAKE) -C usr_lib_tomoyo install
         $(MAKE) -C usr_share_man install
+       $(MAKE) -C usr_lib_systemd_system install

  clean:
  ##
diff --git a/usr_lib_systemd_system/Makefile 
b/usr_lib_systemd_system/Makefile
new file mode 100644
index 0000000..e3752a4
--- /dev/null
+++ b/usr_lib_systemd_system/Makefile
@@ -0,0 +1,7 @@
+include ../Include.make
+
+install:
+       mkdir -p -m 0755 $(INSTALLDIR)$(SERVICEDIR)
+       $(INSTALL) -m 0644 *.service $(INSTALLDIR)$(SERVICEDIR)
+
+.PHONY: install
diff --git a/usr_lib_systemd_system/tomoyo-auditd.service 
b/usr_lib_systemd_system/tomoyo-auditd.service
new file mode 100644
index 0000000..a2d2d55
--- /dev/null
+++ b/usr_lib_systemd_system/tomoyo-auditd.service
@@ -0,0 +1,39 @@
+[Unit]
+Before=sysinit.target shutdown.target
+ConditionSecurity=tomoyo
+DefaultDependencies=no
+RequiresMountsFor=/var /sys
+
+[Service]
+CapabilityBoundingSet=
+DeviceAllow=/dev/null
+DevicePolicy=strict
+ExecStart=/usr/sbin/tomoyo-auditd
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+Restart=always
+RestrictAddressFamilies=
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@chown @clock @cpu-emulation @debug @ipc @module 
@mount @obsolete @privileged @raw-io @reboot @resources @swap 
memfd_create mincore mlock mlockall personality
+Type=forking
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
-- 
2.25.0

More information about the tomoyo-users-en mailing list
Back to archive index