Merge branch 'no_new_privs' into 'develop'

Add no_new_privs to OpenRC service files

See merge request pleroma/pleroma!3905

3 files changed, 3 insertions, 0 deletions

diff --git a/changelog.d/no_new_privs.add b/changelog.d/no_new_privs.add
new file mode 100644
index 000000000..b67396a4b
--- /dev/null
+++ b/changelog.d/no_new_privs.add
@@ -0,0 +1 @@
+(hardening) Add no_new_privs=yes to OpenRC service files
diff --git a/installation/init.d/pleroma b/installation/init.d/pleroma
index 384536f7e..cb6635a0b 100755
--- a/installation/init.d/pleroma
+++ b/installation/init.d/pleroma
@@ -8,6 +8,7 @@ pidfile="/var/run/pleroma.pid"
 directory=/opt/pleroma
 healthcheck_delay=60
 healthcheck_timer=30
+no_new_privs="yes"
 
 : ${pleroma_port:-4000}
 
diff --git a/rel/files/installation/init.d/pleroma b/rel/files/installation/init.d/pleroma
index dea1db26c..ca5b842e1 100755
--- a/rel/files/installation/init.d/pleroma
+++ b/rel/files/installation/init.d/pleroma
@@ -9,6 +9,7 @@ command=/opt/pleroma/bin/pleroma
 command_args="start"
 command_user=pleroma
 command_background=1
+no_new_privs="yes"
 
 # Ask process to terminate within 30 seconds, otherwise kill it
 retry="SIGTERM/30/SIGKILL/5"