From 2b45a8cff928e538f21533645fb79fef08d1b4cf Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Thu, 7 Feb 2019 21:20:14 -0800
Subject: [PATCH] mldonkey: Add systemd service file with security options

- This solves the problem with init that causes the daemon not to stop.

- The file is installed with same name as init script so as to make sure init
  script become overridden.

- It is installed in /lib/systemd/system/mldonkey-server.service.d/ so
  that this service file can one day be upstreamed and at that time it
  does not conflict with freedombox package carrying the same file.

- Add strict security options.

- Tested by watching mldonkey logs, doing some searching and downloading from
  the UI.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 .../mldonkey-server.service.d/freedombox.conf | 36 +++++++++++++++++++
 setup.py                                      |  2 ++
 2 files changed, 38 insertions(+)
 create mode 100644 data/lib/systemd/system/mldonkey-server.service.d/freedombox.conf

diff --git a/data/lib/systemd/system/mldonkey-server.service.d/freedombox.conf b/data/lib/systemd/system/mldonkey-server.service.d/freedombox.conf
new file mode 100644
index 000000000..5cbb13cee
--- /dev/null
+++ b/data/lib/systemd/system/mldonkey-server.service.d/freedombox.conf
@@ -0,0 +1,36 @@
+[Unit]
+Description=MLDonkey: Multi-protocol, peer-to-peer file sharing server
+After=syslog.target network.target
+ConditionPathExists=/var/lib/mldonkey/downloads.ini
+Documentation=man:mlnet(1) http://mldonkey.sourceforge.net/Main_Page
+
+[Service]
+ExecStart=
+ExecStart=/usr/bin/mlnet
+ExecStop=
+Group=mldonkey
+IgnoreSIGPIPE=yes
+KillMode=control-group
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/var/lib/mldonkey
+RemainAfterExit=no
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
+StateDirectory=mldonkey
+SystemCallArchitectures=native
+Type=simple
+User=mldonkey
+WorkingDirectory=/var/lib/mldonkey
+
+[Install]
+WantedBy=multi-user.target
diff --git a/setup.py b/setup.py
index b7bab5163..f55ff4bef 100755
--- a/setup.py
+++ b/setup.py
@@ -247,6 +247,8 @@ setuptools.setup(
             'data/etc/sudoers.d/plinth'
         ]), ('/lib/systemd/system',
              glob.glob('data/lib/systemd/system/*.service')),
+        ('/lib/systemd/system/mldonkey-server.service.d',
+         ['data/lib/systemd/system/mldonkey-server.service.d/freedombox.conf']),
         ('/lib/systemd/system', glob.glob('data/lib/systemd/system/*.timer')),
         ('/etc/mediawiki',
          glob.glob('data/etc/mediawiki/*.php')), ('/etc/update-motd.d/', [