Date: Saturday, January 9, 2021 @ 00:30:35 Author: dvzrv Revision: 814255
upgpkg: umurmur 0.2.18-1: Upgrade to 0.2.18. Switch to openssl as TLS provider as it is upstream's default. Patch cmake setup to install the config with more strict permissions to correct location. Make build and installation more verbose. Harden the systemd system service further. Added: umurmur/trunk/umurmur-0.2.18-cmake.patch Modified: umurmur/trunk/PKGBUILD umurmur/trunk/umurmur.service ----------------------------+ PKGBUILD | 43 ++++++++++++++++------------ umurmur-0.2.18-cmake.patch | 26 +++++++++++++++++ umurmur.service | 64 +++++++++++++++++++++++++++++++++---------- 3 files changed, 101 insertions(+), 32 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-01-09 00:30:01 UTC (rev 814254) +++ PKGBUILD 2021-01-09 00:30:35 UTC (rev 814255) @@ -5,28 +5,38 @@ # Contributor: xav <xav at ethertricks dot net> pkgname=umurmur -pkgver=0.2.17 -pkgrel=19 +pkgver=0.2.18 +pkgrel=1 pkgdesc='Minimalistic Mumble server' url="https://github.com/umurmur/umurmur"; arch=('x86_64') license=('BSD') -depends=('glibc') -makedepends=('cmake' 'libconfig' 'protobuf-c' 'mbedtls') +depends=('glibc' 'openssl') +makedepends=('cmake' 'libconfig' 'protobuf-c') backup=('etc/umurmur/umurmur.conf') source=(${pkgname}-${pkgver}.tar.gz::https://github.com/umurmur/umurmur/archive/${pkgver}.tar.gz + "${pkgname}-0.2.18-cmake.patch" umurmur.sysusers umurmur.service umurmur.tmpfiles) -sha256sums=('e77b7b6616768f4a1c07442afe49a772692f667b00c23cc85909d4dd0ce206d2' - '0fc68df464ee51a431d934d068aed0be5f8c5e64d0bd29848f97532d39f8c310' - 'b8b22b6299777fbd1d12e3105280c8585ceca9b6caf7b8d3ab0642c5a56b031f' - '287068f47fc035a70e2ae0c8434e8013f176d185bf7688216c36976982fe4491') -sha512sums=('a496a51fd7815ad117f5aee17bb78cbd319c584ad60ab8aebbfd8ddf7b1760f443f2337bc74be1e0d5af17d3c3df2ae6c9060eca576cf1e6ed4c6cb0825e9c15' +sha512sums=('bd1cd7149684dbe42b9804c9a5539cdb2becf6b721d74bd88d154e9037d3289ab57ee816c0592a0167ddd302da68d94017c86deb96348d272ec9bd21e9628656' + 'b3f0a6c7d7cfe94e6ffceed832b8bcdda256e27f350abf80697d81ba154cd529a8b54fb8dac05273886e75d137ebcd71b4c9c06fdb7d0f45f1345a7cf9418b3f' 'd84950a32ab8a2e84f5fe333cd2894e52aba624531644d106c982aa4ff04271d318543398fa7f48c719f26338679fa971bb5332472e9040ac9aa8a9b4a1f2832' - '746a3e2d9e8c5154bdfb2cef6cbe39cccf0356bc1dde0434b92ec1a6b224a5bfa51fd15483c3ac5a75292eae7a6d4b0431ecb2a586bdd9fcc3fe9b2a7bff64a1' + '1e4c7c41fdcc37aa681080ee6f0bb617e7d7245d23e07b586807b2fcb3c04f4d5109e6fad50ec43738007f57e9585b5622f112be3b0def155b5ac144f88930a7' '825b50448231b5d791e87d7c4c471fdfe2e9a1560dad6fc90c2f4f8d0c5ed682291bf20b147a6a8c7ae361aeb8b1a11c24c6d41ffc17f06fb0f5ccd8208a899a') +b2sums=('45a6e247dee604861e70698350b7b0ee28fd7ee82a94f684eae8ff5ab7daa0c3446b32c4aa28b39e64588944b8b81c4e2a11db79d0bde9e4a2012e67b4125be2' + 'ff64c6179ebd6a21e3d51acef36c23955a4a1fcc1a9794686f8a0a447ec36f7c8b490c0ba553971bb76fbf77bda0600ddb4acf0163fa492d6e1dc75d29ba059d' + '549dda6277c3758d221a259d08d3f91658d7615b0c06ebf2af6f3966fd798ce6228ff9ccb653daeb1d2b592e029e96e756df779ad0d4a809e224f2071e5d76cc' + 'a4be46591c2e5315826708587a8e9f9416e8ce91580457b0a9fc36dc3749eeb5737a9e1ebc47387c160e1de897ab940c3badaeb03f06f542c4f76536df1d5590' + '355eb00fc390ff200c96ef179f2f8cab4b4a5aeca3db0781556b567de44996562f12f7cc69225159e8b1cdb26b0bacf38c7776cdc553bbe0745eb0228219df4c') +prepare() { + cd ${pkgname}-${pkgver} + # fix config install directory + # https://github.com/umurmur/umurmur/pull/164 + patch -Np1 -i "../${pkgname}-0.2.18-cmake.patch" +} + build() { cd ${pkgname}-${pkgver} export CFLAGS+=" ${CPPFLAGS}" @@ -33,24 +43,21 @@ export CXXFLAGS+=" ${CPPFLAGS}" cmake -DCMAKE_INSTALL_PREFIX='/usr' \ -DCMAKE_BUILD_TYPE='None' \ - -DSSL=mbedtls \ -Wno-dev \ -B build \ -S . - make -C build + make VERBOSE=1 -C build } package() { - depends+=('libconfig.so' 'libmbedcrypto.so' 'libmbedtls.so' 'libmbedx509.so' 'libprotobuf-c.so') + depends+=('libconfig.so' 'libprotobuf-c.so') cd ${pkgname}-${pkgver} - make -C build DESTDIR="${pkgdir}" install - install -vDm 640 "${pkgdir}/usr/etc/umurmur.conf" -t "${pkgdir}/etc/umurmur" - rm -r "${pkgdir}/usr/etc" + make VERBOSE=1 DESTDIR="${pkgdir}" install -C build install -vDm 644 "${srcdir}/umurmur.service" -t "${pkgdir}/usr/lib/systemd/system" - install -vDm 644 LICENSE -t "${pkgdir}/usr/share/licenses/${pkgname}" - install -vDm 644 "${srcdir}/umurmur.sysusers" "${pkgdir}/usr/lib/sysusers.d/umurmur.conf" install -vDm 644 "${srcdir}/umurmur.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/umurmur.conf" + install -vDm 644 LICENSE -t "${pkgdir}/usr/share/licenses/${pkgname}" + install -vDm 644 {AUTHORS,ChangeLog,README.md} -t "${pkgdir}/usr/share/doc/${pkgname}" } # vim: ts=2 sw=2 et: Added: umurmur-0.2.18-cmake.patch =================================================================== --- umurmur-0.2.18-cmake.patch (rev 0) +++ umurmur-0.2.18-cmake.patch 2021-01-09 00:30:35 UTC (rev 814255) @@ -0,0 +1,26 @@ +diff -ruN a/CMakeLists.txt b/CMakeLists.txt +--- a/CMakeLists.txt 2020-12-31 09:56:25.000000000 +0100 ++++ b/CMakeLists.txt 2021-01-07 17:29:04.152477922 +0100 +@@ -18,15 +18,16 @@ + + include(Options) + include(Tools) ++include(GNUInstallDirs) + + find_package(Libconfig REQUIRED) + find_package(ProtobufC REQUIRED) + + add_subdirectory(src) + +-find_path(OLD_CONFIG_FILE NAMES "umurmur.conf" PATHS ${CMAKE_INSTALL_PREFIX} PATH_SUFFIXES "etc") +- +-if(NOT OLD_CONFIG_FILE) +- install(FILES "umurmur.conf.example" DESTINATION "etc" RENAME "umurmur.conf") +-endif() +- ++install( ++ FILES "umurmur.conf.example" ++ DESTINATION "/${CMAKE_INSTALL_SYSCONFDIR}/umurmur" ++ PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ ++ RENAME "umurmur.conf" ++) Modified: umurmur.service =================================================================== --- umurmur.service 2021-01-09 00:30:01 UTC (rev 814254) +++ umurmur.service 2021-01-09 00:30:35 UTC (rev 814255) @@ -3,24 +3,60 @@ After=network.target [Service] -Type=simple -User=umurmur -Group=umurmur -PIDFile=/run/umurmurd.pid +CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP +CapabilityBoundingSet=~CAP_SYS_ADMIN +CapabilityBoundingSet=~CAP_SYS_PTRACE +CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP +CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER +CapabilityBoundingSet=~CAP_NET_ADMIN +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_KILL +CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_SYS_BOOT +CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE +CapabilityBoundingSet=~CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_SYS_CHROOT +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND +CapabilityBoundingSet=~CAP_LEASE +CapabilityBoundingSet=~CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CPUAccounting=true +DevicePolicy=closed ExecStartPre=/usr/bin/umurmurd -t -c /etc/umurmur/umurmur.conf ExecStart=/usr/bin/umurmurd -d -r -c /etc/umurmur/umurmur.conf ExecReload=/bin/kill -HUP $MAINPID -PrivateDevices=yes -PrivateTmp=yes +Group=umurmur +IPAccounting=true +LimitRTPRIO=1 +LockPersonality=true +MemoryAccounting=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PIDFile=/run/umurmurd.pid +PrivateDevices=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible ProtectSystem=strict ReadWriteDirectories=/etc/umurmur -ProtectHome=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -NoNewPrivileges=yes -LimitRTPRIO=1 +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +UMask=007 +User=umurmur [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file
