From a9cb17d75eb1bc27b774a87b5db24a29f02000a5 Mon Sep 17 00:00:00 2001 From: Vitaly Zaitsev Date: Feb 28 2020 15:02:57 +0000 Subject: Added hardening patch again (missing in 1.3.1). --- diff --git a/earlyoom-unit-hardening.patch b/earlyoom-unit-hardening.patch new file mode 100644 index 0000000..351927e --- /dev/null +++ b/earlyoom-unit-hardening.patch @@ -0,0 +1,32 @@ +From f2b45e6a18a0624032d289318569ad57c24fd419 Mon Sep 17 00:00:00 2001 +From: Jakob Unterwurzacher +Date: Wed, 12 Feb 2020 22:19:49 +0100 +Subject: [PATCH] earlyoom.service: drop root privileges + +Run as a random unprivilege user instead of as root, +but add the capabilities CAP_KILL CAP_IPC_LOCK. + +Supersedes https://github.com/rfjakob/earlyoom/pull/158 +--- + earlyoom.service.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/earlyoom.service.in b/earlyoom.service.in +index 5f193f0..2df9330 100644 +--- a/earlyoom.service.in ++++ b/earlyoom.service.in +@@ -5,6 +5,14 @@ Documentation=man:earlyoom(1) https://github.com/rfjakob/earlyoom + [Service] + EnvironmentFile=-:SYSCONFDIR:/default/earlyoom + ExecStart=:TARGET:/earlyoom $EARLYOOM_ARGS ++# Run as an unprivileged user with random user id ++DynamicUser=true ++# Allow killing processes and calling mlockall() ++AmbientCapabilities=CAP_KILL CAP_IPC_LOCK ++# We don't need write access anywhere ++ProtectSystem=strict ++# We don't need /home at all, make it inaccessible ++ProtectHome=true + + [Install] + WantedBy=multi-user.target diff --git a/earlyoom.spec b/earlyoom.spec index 62fa5ff..df58e2f 100644 --- a/earlyoom.spec +++ b/earlyoom.spec @@ -7,6 +7,9 @@ URL: https://github.com/rfjakob/%{name} Summary: Early OOM Daemon for Linux Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz +# https://github.com/rfjakob/earlyoom/commit/f2b45e6a18a0624032d289318569ad57c24fd419 +Patch100: %{name}-unit-hardening.patch + %{?systemd_requires} BuildRequires: systemd BuildRequires: pandoc