Package: quassel-core Severity: wishlist X-Debbugs-Cc: jvalle...@mailbox.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Maintainer, Please consider adding systemd service hardening options to the service file. These are the options we have been using in FreedomBox [1]: [Service] LockPersonality=yes LogsDirectory=quassel NoNewPrivileges=yes PrivateDevices=yes PrivateMounts=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict RestrictAddressFamilies=AF_INET AF_INET6 RestrictRealtime=yes StateDirectory=quassel SystemCallArchitectures=native We have been using these options for about 1 year and did not see any issues. [1] https://salsa.debian.org/freedombox-team/freedombox/-/blob/master/plinth/modules/quassel/data/lib/systemd/system/quasselcore.service.d/freedombox.conf - -- System Information: Debian Release: bullseye/sid APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages quassel-core depends on: ii adduser 3.118 ii init-system-helpers 1.60 ii libc6 2.31-11 ii libgcc-s1 10.2.1-6 pn libqca-qt5-2 <none> ii libqt5core5a 5.15.2+dfsg-5 ii libqt5network5 5.15.2+dfsg-5 pn libqt5script5 <none> ii libqt5sql5 5.15.2+dfsg-5 ii libqt5sql5-sqlite 5.15.2+dfsg-5 ii libstdc++6 10.2.1-6 ii lsb-base 11.1.0 ii openssl 1.1.1k-1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages quassel-core recommends: ii ca-certificates 20210119 Versions of packages quassel-core suggests: pn libqt5sql5-psql <none> -----BEGIN PGP SIGNATURE----- iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAmCHQrcWHGp2YWxsZXJv eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICIHzD/43JL7rTWNhCajuIbv14H7IbY52 A/zF+r2yaDYEm5z5qfwatlztosubdaOIqh8NfYWD/HlSARbcTWclAJoQBpBFOdln razwVRTT2YZGHW0rMCRLCRnE2z4yg/AeF4EBsBs6gGWdTwu2LiEztQYqmyWIOp34 GSnROT46yLy9TNi2VguuDuEfMxeov4iZYISYcNzM8xmXmFPxvPeja/ry/2o2DE05 TKY3miN+SVvgAzU+BAYMuGTLlekwxeEig1a90chNe2f8H8/Ft+tpbXTe056KVI4J CcDppXX3u0ubEzmkP54sENc4lGllBMRxMrD+29qJHCH/QvAhoW5oNsDJy8vjzKPt jYSrdXZ0yEwtsTaVouRBr4KgKot+650M4u0WHHq6zvmUgQvXCvcCBobl/NpUMdkE riH7qm/yrCG4OxeiRcnsGjttGZccdgY0bjOknUcgL1EfNRakfxjAhdKNDB86/mKd /NBGHRL4Jqrx8vvqwzct+W41nM/LmbMNDrYowP7gnR0RMZc7P82K7EWMTk6vQS3+ 2Nd0g4yp41mZuEBGl53k1tRSedy8niUBD9nJUtAcxq6YNyzG91bTd2gyQed3QU18 xTP8mrGwABPm/PLoWrJuiHCWGQLKfh3oR8ilJKgz9RlnMRK3FeQJm/YpLMLOA1/e o6IQJ8al2Yiq8q/jZw== =hkQA -----END PGP SIGNATURE-----