[Pkg-kde-extras] Bug#987648: quassel-core: Add hardening options to service file

James Valleroy jvalleroy at mailbox.org
Mon Apr 26 23:46:23 BST 2021 

Package: quassel-core
Severity: wishlist
X-Debbugs-Cc: jvalleroy at mailbox.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

Please consider adding systemd service hardening options to the service file.

These are the options we have been using in FreedomBox [1]:


[Service]
LockPersonality=yes
LogsDirectory=quassel
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictRealtime=yes
StateDirectory=quassel
SystemCallArchitectures=native


We have been using these options for about 1 year and did not see any issues.

[1] https://salsa.debian.org/freedombox-team/freedombox/-/blob/master/plinth/modules/quassel/data/lib/systemd/system/quasselcore.service.d/freedombox.conf


- -- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages quassel-core depends on:
ii  adduser              3.118
ii  init-system-helpers  1.60
ii  libc6                2.31-11
ii  libgcc-s1            10.2.1-6
pn  libqca-qt5-2         <none>
ii  libqt5core5a         5.15.2+dfsg-5
ii  libqt5network5       5.15.2+dfsg-5
pn  libqt5script5        <none>
ii  libqt5sql5           5.15.2+dfsg-5
ii  libqt5sql5-sqlite    5.15.2+dfsg-5
ii  libstdc++6           10.2.1-6
ii  lsb-base             11.1.0
ii  openssl              1.1.1k-1
ii  zlib1g               1:1.2.11.dfsg-2

Versions of packages quassel-core recommends:
ii  ca-certificates  20210119

Versions of packages quassel-core suggests:
pn  libqt5sql5-psql  <none>

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAmCHQrcWHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICIHzD/43JL7rTWNhCajuIbv14H7IbY52
A/zF+r2yaDYEm5z5qfwatlztosubdaOIqh8NfYWD/HlSARbcTWclAJoQBpBFOdln
razwVRTT2YZGHW0rMCRLCRnE2z4yg/AeF4EBsBs6gGWdTwu2LiEztQYqmyWIOp34
GSnROT46yLy9TNi2VguuDuEfMxeov4iZYISYcNzM8xmXmFPxvPeja/ry/2o2DE05
TKY3miN+SVvgAzU+BAYMuGTLlekwxeEig1a90chNe2f8H8/Ft+tpbXTe056KVI4J
CcDppXX3u0ubEzmkP54sENc4lGllBMRxMrD+29qJHCH/QvAhoW5oNsDJy8vjzKPt
jYSrdXZ0yEwtsTaVouRBr4KgKot+650M4u0WHHq6zvmUgQvXCvcCBobl/NpUMdkE
riH7qm/yrCG4OxeiRcnsGjttGZccdgY0bjOknUcgL1EfNRakfxjAhdKNDB86/mKd
/NBGHRL4Jqrx8vvqwzct+W41nM/LmbMNDrYowP7gnR0RMZc7P82K7EWMTk6vQS3+
2Nd0g4yp41mZuEBGl53k1tRSedy8niUBD9nJUtAcxq6YNyzG91bTd2gyQed3QU18
xTP8mrGwABPm/PLoWrJuiHCWGQLKfh3oR8ilJKgz9RlnMRK3FeQJm/YpLMLOA1/e
o6IQJ8al2Yiq8q/jZw==
=hkQA
-----END PGP SIGNATURE-----

More information about the pkg-kde-extras mailing list