Tags: patch Attached is a patch for a sandboxed systemd service file for scanlogd, it works OK on my amd64 machine. I've made a MR on Salsa, you can also review it there: https://salsa.debian.org/debian/scanlogd/-/merge_requests/2
Let me know how it goes!
>From f4ecec3d1a8b0f202e78c062c9460f534eb92157 Mon Sep 17 00:00:00 2001 From: Yifei Zhan <[email protected]> Date: Fri, 24 Oct 2025 20:23:09 -0400 Subject: [PATCH] debian: add systemd service file --- debian/scanlogd.service | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 debian/scanlogd.service diff --git a/debian/scanlogd.service b/debian/scanlogd.service new file mode 100644 index 0000000..bbaad32 --- /dev/null +++ b/debian/scanlogd.service @@ -0,0 +1,36 @@ +[Unit] +Description=Detects and logs TCP port scans +Documentation=man:scanlogd(8) +After=local-fs.target network-online.target + +[Service] +Type=forking +ExecStart=/usr/sbin/scanlogd +Restart=on-failure + +# scanlogd needs a chroot directory. the directory and its parent +# directories must not be writable by anyone but root +UMask=022 +ExecStartPre=mkdir -p /run/scanlogd/empty +ExecStartPre=chown root:root /run/scanlogd/ /run/scanlogd/empty + +# Sandboxing +NoNewPrivileges=yes +PrivateTmp=yes +ProtectHome=yes +ProtectProc=invisible +PrivateDevices=yes +ProtectControlGroups=yes +ProtectClock=yes +ProtectHostname=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectKernelLogs=yes +ProtectSystem=strict +RestrictNamespaces=yes +SystemCallFilter=~@debug @module @clock @swap +SystemCallArchitectures=native +MemoryDenyWriteExecute=yes + +[Install] +WantedBy=multi-user.target -- GitLab
