From 36efcf03ac4cee6d032dcdd79466df87243d7c6b Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 1 Mar 2025 10:52:36 +0100 Subject: [PATCH] Fix #248 - Make a Debian package --- snow-scanner/Cargo.toml | 28 +++++++ .../debian/snow-scanner-worker.service | 77 +++++++++++++++++++ snow-scanner/debian/snow-scanner.service | 77 +++++++++++++++++++ 3 files changed, 182 insertions(+) create mode 100644 snow-scanner/debian/snow-scanner-worker.service create mode 100644 snow-scanner/debian/snow-scanner.service diff --git a/snow-scanner/Cargo.toml b/snow-scanner/Cargo.toml index 3171e01..917f648 100644 --- a/snow-scanner/Cargo.toml +++ b/snow-scanner/Cargo.toml @@ -76,3 +76,31 @@ cidr = "0.3.0" serde = { version = "1.0.210", features = ["derive"] } serde_json = "1.0.128" weighted-rs = "0.1.3" + +[package.metadata.deb] +maintainer = "William Desportes " +copyright = "2022-2025, William Desportes " +license-file = ["../LICENSE"] +extended-description = """\ +Find hidden IPs in the internet snow.""" +depends = "$auto" +section = "rust" +priority = "optional" +assets = [ + { source = "README.md", dest = "usr/share/doc/snow-scanner/README", mode = "644"}, + { source = "../data/collections/*/*", dest = "usr/share/snow-scanner/data/collections", mode = "644"}, + { source = "../data/scanners/*", dest = "usr/share/snow-scanner/data/scanners", mode = "644"}, + { source = "target/release/snow-scanner", dest = "usr/bin/snow-scanner", mode = "777"}, + { source = "target/release/snow-scanner-worker", dest = "usr/bin/snow-scanner-worker", mode = "777"}, +] + +maintainer-scripts = "debian/" +systemd-units = [ + { unit-name = "snow-scanner", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true }, + { unit-name = "snow-scanner-worker", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true } +] + +conf-files = [ + "/etc/snow-scanner/.env", + "/etc/snow-scanner/worker.env" +] diff --git a/snow-scanner/debian/snow-scanner-worker.service b/snow-scanner/debian/snow-scanner-worker.service new file mode 100644 index 0000000..ebd9b21 --- /dev/null +++ b/snow-scanner/debian/snow-scanner-worker.service @@ -0,0 +1,77 @@ +[Unit] +Description=Snow scanner worker +After=network.target + +[Service] +Type=simple +User=snow-scanner +Group=snow-scanner +EnvironmentFile=/etc/snow-scanner/worker.env + +RemoveIPC=true +ProtectHome=true +NoNewPrivileges=true + +PrivateTmp=false +ProtectSystem=strict +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +MemoryDenyWriteExecute=true +LockPersonality=true +# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it, +# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. +# This is useful to turn off physical device access by the executed process +PrivateDevices=true +# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom +DevicePolicy=closed +ProtectProc=invisible +ProtectClock=true +ProcSubset=pid +ProtectHostname=true +ProtectKernelLogs=true +# This will fail icmp pingers if set to true +PrivateUsers=false + +SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete +SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring +SystemCallFilter=~@pkey @ipc + +# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately. +SystemCallErrorNumber=EPERM + +# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/ +# Run: systemd-analyze security snow-scanner +# Add this one for ports < 1024 +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#CapabilityBoundingSet=CAP_NET_RAW + +SystemCallArchitectures=native + +# Allow icmp +#AmbientCapabilities=CAP_NET_RAW + +# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it, +# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. +# This is useful to turn off physical device access by the executed process +PrivateDevices=true +# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom +DevicePolicy=closed + +# No devices (except clock: ProtectClock) +# See: https://github.com/systemd/systemd/issues/23185 +DeviceAllow= + +BindReadOnlyPaths=/usr/share/snow-scanner + +ExecStart=/usr/bin/snow-scanner-worker +Restart=on-failure + +LimitNOFILE=infinity + +[Install] +WantedBy=multi-user.target diff --git a/snow-scanner/debian/snow-scanner.service b/snow-scanner/debian/snow-scanner.service new file mode 100644 index 0000000..37fe1e2 --- /dev/null +++ b/snow-scanner/debian/snow-scanner.service @@ -0,0 +1,77 @@ +[Unit] +Description=Snow scanner server +After=network.target + +[Service] +Type=simple +User=snow-scanner +Group=snow-scanner +EnvironmentFile=/etc/snow-scanner/.env + +RemoveIPC=true +ProtectHome=true +NoNewPrivileges=true + +PrivateTmp=false +ProtectSystem=strict +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +MemoryDenyWriteExecute=true +LockPersonality=true +# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it, +# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. +# This is useful to turn off physical device access by the executed process +PrivateDevices=true +# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom +DevicePolicy=closed +ProtectProc=invisible +ProtectClock=true +ProcSubset=pid +ProtectHostname=true +ProtectKernelLogs=true +# This will fail icmp pingers if set to true +PrivateUsers=false + +SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete +SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring +SystemCallFilter=~@pkey @ipc + +# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately. +SystemCallErrorNumber=EPERM + +# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/ +# Run: systemd-analyze security snow-scanner +# Add this one for ports < 1024 +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#CapabilityBoundingSet=CAP_NET_RAW + +SystemCallArchitectures=native + +# Allow icmp +#AmbientCapabilities=CAP_NET_RAW + +# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it, +# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. +# This is useful to turn off physical device access by the executed process +PrivateDevices=true +# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom +DevicePolicy=closed + +# No devices (except clock: ProtectClock) +# See: https://github.com/systemd/systemd/issues/23185 +DeviceAllow= + +BindReadOnlyPaths=/usr/share/snow-scanner + +ExecStart=/usr/bin/snow-scanner +Restart=on-failure + +LimitNOFILE=infinity + +[Install] +WantedBy=multi-user.target