From afa3206d0a7e4cd28a5b1e483793270a6e059484 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Thu, 28 Jul 2022 23:52:37 +0300
Subject: [PATCH] geoipupdate: remove now redundant hardening config

The service hardening options have been included in geoipupdate 4.9.0-3.

[1] https://bugs.archlinux.org/task/75434
---
 roles/geoipupdate/files/hardening.conf | 41 --------------------------
 roles/geoipupdate/handlers/main.yml    |  3 --
 roles/geoipupdate/tasks/main.yml       |  8 -----
 3 files changed, 52 deletions(-)
 delete mode 100644 roles/geoipupdate/files/hardening.conf
 delete mode 100644 roles/geoipupdate/handlers/main.yml

diff --git a/roles/geoipupdate/files/hardening.conf b/roles/geoipupdate/files/hardening.conf
deleted file mode 100644
index ef57a638d..000000000
--- a/roles/geoipupdate/files/hardening.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-[Service]
-NoNewPrivileges=true
-LockPersonality=true
-CapabilityBoundingSet=
-
-PrivateDevices=true
-PrivateTmp=true
-PrivateUsers=true
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/var/lib/GeoIP
-
-MemoryDenyWriteExecute=true
-RemoveIPC=true
-RestrictRealtime=true
-RestrictNamespaces=true
-RestrictSUIDSGID=true
-
-RestrictAddressFamilies=AF_INET
-RestrictAddressFamilies=AF_INET6
-
-ProtectHostname=true
-ProtectControlGroups=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectClock=true
-ProtectProc=invisible
-
-SystemCallArchitectures=native
-SystemCallFilter=~@clock
-SystemCallFilter=~@cpu-emulation
-SystemCallFilter=~@debug
-SystemCallFilter=~@module
-SystemCallFilter=~@mount
-SystemCallFilter=~@obsolete
-SystemCallFilter=~@privileged
-SystemCallFilter=~@raw-io
-SystemCallFilter=~@reboot
-SystemCallFilter=~@resources
-SystemCallFilter=~@swap
diff --git a/roles/geoipupdate/handlers/main.yml b/roles/geoipupdate/handlers/main.yml
deleted file mode 100644
index b7dd1329d..000000000
--- a/roles/geoipupdate/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-- name: daemon reload
-  systemd:
-    daemon-reload: true
diff --git a/roles/geoipupdate/tasks/main.yml b/roles/geoipupdate/tasks/main.yml
index dced74cc1..5b277dae2 100644
--- a/roles/geoipupdate/tasks/main.yml
+++ b/roles/geoipupdate/tasks/main.yml
@@ -6,14 +6,6 @@
   template: src=GeoIP.conf.j2 dest=/etc/GeoIP.conf owner=root group=root mode=0600
   register: configuration
 
-- name: create drop-in directory for geoipupdate.service
-  file: path=/etc/systemd/system/geoipupdate.service.d state=directory owner=root group=root mode=0755
-
-- name: install drop-in for geoipupdate.service
-  copy: src=hardening.conf dest=/etc/systemd/system/geoipupdate.service.d/ owner=root group=root mode=0644
-  notify:
-    - daemon reload
-
 - name: run geoipupdate after installation or configuration change
   systemd: name=geoipupdate state=restarted
   when: installation is changed or configuration is changed
-- 
GitLab