Merge pull request #151 from kerolasa/more-build-sys-fixes

More build sys fixes

3 files changed, 59 insertions, 6 deletions

diff --git a/meson.build b/meson.build
index 142ebe9..7cb56be 100644
--- a/meson.build
+++ b/meson.build
@@ -171,17 +171,18 @@ config_h = configure_file(
 	output : 'config.h',
 	configuration : conf)
 
+setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap', required : false)
+if cap_dep.found() and setcap.found()
+	perm_type = 'caps'
+else
+	perm_type = 'setuid'
+endif
+
 ############################################################
 if build_ping == true
 	executable('ping', ['ping.c', 'ping_common.c', 'ping6_common.c', git_version_h],
 		dependencies : [m_dep, cap_dep, idn_dep, crypto_dep, resolv_dep],
 		install: true)
-	setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap', required : false)
-	if cap_dep.found() and setcap.found()
-		perm_type = 'caps'
-	else
-		perm_type = 'setuid'
-	endif
 	meson.add_install_script('build-aux/setcap-setuid.sh',
 		join_paths(get_option('prefix'), get_option('bindir')),
 		'ping',
@@ -206,17 +207,40 @@ if build_clockdiff == true
 	executable('clockdiff', ['clockdiff.c', git_version_h],
 		dependencies : [cap_dep],
 		install: true)
+	meson.add_install_script('build-aux/setcap-setuid.sh',
+		join_paths(get_option('prefix'), get_option('bindir')),
+		'clockdiff',
+		perm_type,
+		setcap.path()
+	)
 endif
 
 if build_rinfod == true
 	executable('rdisc', ['rdisc.c', git_version_h],
+		install_dir: 'sbin',
 		install: true)
+	if systemd.found()
+		subs = configuration_data()
+		subs.set('sbindir', join_paths(get_option('prefix'), get_option('sbindir')))
+		unit_file = configure_file(
+			input: 'systemd/rdisc.service.in',
+			output: 'rdisc@.service',
+			configuration: subs
+		)
+		install_data(unit_file, install_dir: systemdunitdir)
+	endif
 endif
 
 if build_arping == true
 	executable('arping', ['arping.c', git_version_h],
 		dependencies : [rt_dep, cap_dep, idn_dep],
 		install: true)
+	meson.add_install_script('build-aux/setcap-setuid.sh',
+		join_paths(get_option('prefix'), get_option('bindir')),
+		'arping',
+		perm_type,
+		setcap.path()
+	)
 endif
 
 if build_tftpd == true
diff --git a/systemd/rarpd.service.in b/systemd/rarpd.service.in
index d161785..e600c10 100644
--- a/systemd/rarpd.service.in
+++ b/systemd/rarpd.service.in
@@ -8,6 +8,8 @@ After=network.target
 EnvironmentFile=-/etc/sysconfig/rarpd
 ExecStart=@sbindir@/rarpd -d $OPTIONS %i
 
+AmbientCapabilities=CAP_NET_RAW
+DynamicUser=yes
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateUsers=yes
diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
new file mode 100644
index 0000000..4e2a1ec
--- /dev/null
+++ b/systemd/rdisc.service.in
@@ -0,0 +1,27 @@
+[Unit]
+Description=Network Router Discovery Daemon
+Documentation=man:rdisc(8)
+Requires=network.target
+After=network.target
+
+[Service]
+EnvironmentFile=-/etc/sysconfig/rdisc
+ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
+
+AmbientCapabilities=CAP_NET_RAW
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+LockPersonality=yes
+NoNewPrivileges=yes
+
+[Install]
+WantedBy=multi-user.target