julian-klode · May 1, 2023 14:51
diff --git a/apt b/apt
 #!/bin/sh
 args=""
 if [ $(id -u) -ne 0 ]; then
 	args=--user
 fi

 if echo $@ | grep update; then
 	args="$args -p ProtectSystem=strict -p ReadWritePaths=/var/lib/apt -p ReadWritePaths=/var/cache/apt -p PrivateTmp=yes -p PrivateDevices=yes"
 fi
 exec systemd-run $args -q --wait -G --unit apt.service -Pt -p ProtectHome=yes -p NoNewPrivileges=yes -p ProtectHostname=yes -p ProtectClock=yes -p ProtectKernelTunables=yes -p ProtectKernelModules=yes -p ProtectKernelLogs=yes -p ProtectControlGroups=yes -p RestrictRealtime=yes -p SystemCallFilter=@system-service /usr/bin/apt "$@"
	#!/bin/sh
	args=""
	if [ $(id -u) -ne 0 ]; then
	args=--user
	fi

	if echo $@ \| grep update; then
	args="$args -p ProtectSystem=strict -p ReadWritePaths=/var/lib/apt -p ReadWritePaths=/var/cache/apt -p PrivateTmp=yes -p PrivateDevices=yes"
	fi
	exec systemd-run $args -q --wait -G --unit apt.service -Pt -p ProtectHome=yes -p NoNewPrivileges=yes -p ProtectHostname=yes -p ProtectClock=yes -p ProtectKernelTunables=yes -p ProtectKernelModules=yes -p ProtectKernelLogs=yes -p ProtectControlGroups=yes -p RestrictRealtime=yes -p SystemCallFilter=@system-service /usr/bin/apt "$@"