Package: fancontrol Version: 1:3.6.0-2 Tags: patch Please add systemd hardening features to the fancontrol service. Also stop using the legacy directory /var/run, to avoid logs like:
Nov 11 18:29:59 desktopdebian systemd[1]: /lib/systemd/system/fancontrol.service:10: PIDFile= references a path below legacy directory /var/run/, updating /var/run/fancontrol.pid → /run/fancontrol.pid; please update the unit file accordingly. --- data/lib/systemd/system/fancontrol.service 2013-06-29 15:43:11.000000000 +0200 +++ /lib/systemd/system/fancontrol.service 2019-11-11 23:09:28.877420022 +0100 @@ -8,7 +8,26 @@ [Service] ExecStartPre=/usr/sbin/fancontrol --check ExecStart=/usr/sbin/fancontrol -PIDFile=/var/run/fancontrol.pid +PIDFile=/run/fancontrol.pid + +# hardening options +# details: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +# no ProtectKernelTunables for fan adjustments +AmbientCapabilities= +CapabilityBoundingSet= +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelModules=yes +ProtectSystem=full +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallFilter= [Install] WantedBy=multi-user.target
