community/geoipupdate to 4.9.0-3

community/geoipupdate/PKGBUILD

@@ -7,7 +7,7 @@
 
 pkgname=geoipupdate
 pkgver=4.9.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Update GeoIP2 and GeoIP Legacy binary databases from MaxMind"
 license=('Apache' 'MIT')
 arch=('x86_64')
@@ -26,7 +26,7 @@ source=(
 )
 
 sha256sums=('43195d457a372dc07be593d815212d6ea21e499a37a6111058efa3296759cba9'
-            '94d120a089524b91b2c3095332dee66b346bc97f1496cbff677ff02afa37a6cc'
+            '46351d1fb0a5f3a6262539376cc6c22685de24d66d07f6f7a1497ed9a7a5385c'
             'ba9039ae9cc3dea4fe48480527b515cab2ad3a2f69aea5bf55f551e6895779e3'
             'bac4deced8219f56e1b394986f5125a6b36864bb5e9ebf0499ec0edcba55f9ed')
 

community/geoipupdate/geoipupdate.service

@@ -6,3 +6,44 @@ After=network.target
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/geoipupdate --config-file /etc/GeoIP.conf
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/GeoIP
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=invisible
+
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap