[yocto] [meta-security][PATCH 05/10] suricata: add systemd unit

Wed Aug 1 01:09:22 PDT 2018

Based on the debian systemd unit.

Signed-off-by: Koen Kooi <koen.kooi at linaro.org>
---
 recipes-security/suricata/files/suricata.service | 20 ++++++++++++++++++++
 recipes-security/suricata/suricata_4.0.0.bb      | 17 +++++++++++++++--
 2 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 recipes-security/suricata/files/suricata.service

diff --git a/recipes-security/suricata/files/suricata.service b/recipes-security/suricata/files/suricata.service
new file mode 100644
index 0000000..a99a76e
--- /dev/null
+++ b/recipes-security/suricata/files/suricata.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Suricata IDS/IDP daemon
+After=network.target
+Requires=network.target
+Documentation=man:suricata(8) man:suricatasc(8)
+Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+
+[Service]
+Type=simple
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+RestrictAddressFamilies=
+ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0
+ExecReload=/bin/kill -HUP $MAINPID
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=yes
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/recipes-security/suricata/suricata_4.0.0.bb b/recipes-security/suricata/suricata_4.0.0.bb
index 7ab3077..91136bf 100644
--- a/recipes-security/suricata/suricata_4.0.0.bb
+++ b/recipes-security/suricata/suricata_4.0.0.bb
@@ -7,9 +7,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd
 SRC_URI += " \
            file://volatiles.03_suricata \
            file://suricata.yaml \
+           file://suricata.service \
            "
 
-inherit autotools-brokensep pkgconfig python-dir 
+inherit autotools-brokensep pkgconfig python-dir systemd 
 
 CFLAGS += "-D_DEFAULT_SOURCE"
 
@@ -45,6 +46,16 @@ do_install_append () {
     install -m 644 reference.config ${D}${sysconfdir}/suricata
     install -m 644 ${WORKDIR}/suricata.yaml ${D}${sysconfdir}/suricata
     install -m 0644 ${WORKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata
+
+    install -d ${D}${systemd_unitdir}/system
+    sed  -e s:/etc:${sysconfdir}:g \
+         -e s:/var/run:/run:g \
+         -e s:/var:${localstatedir}:g \
+         -e s:/usr/bin:${bindir}:g \
+         -e s:/bin/kill:${base_bindir}/kill:g \
+         -e s:/usr/lib:${libdir}:g \
+         ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+
 }
 
 pkg_postinst_ontarget_${PN} () {
@@ -53,8 +64,10 @@ if [ -e /etc/init.d/populate-volatile.sh ] ; then
 fi
 }
 
+SYSTEMD_PACKAGES = "${PN}"
+
 PACKAGES =+ "${PN}-python"
-FILES_${PN} += "${logdir}/suricata"
+FILES_${PN} += "${logdir}/suricata ${systemd_unitdir}"
 FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
 
 CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
-- 
2.9.5

