From bb8041a73ae8f9666f61e9ae021b6cb46980d45f Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Fri, 28 Jun 2024 16:13:33 -0700
Subject: [PATCH] New gvisor-updater.service

---
 etc/systemd/system/gvisor-updater.service | 50 +++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 etc/systemd/system/gvisor-updater.service

diff --git a/etc/systemd/system/gvisor-updater.service b/etc/systemd/system/gvisor-updater.service
new file mode 100644
index 0000000..3da037a
--- /dev/null
+++ b/etc/systemd/system/gvisor-updater.service
@@ -0,0 +1,50 @@
+[Unit]
+Description=Update gVisor
+After=network-online.target
+Before=docker.service
+
+[Service]
+Type=oneshot
+RuntimeDirectory=gvisor-updater
+WorkingDirectory=/run/gvisor-updater
+ExecStart=/usr/bin/sleep 5
+ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
+ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512
+ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
+ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512
+ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
+ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512
+ExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1
+ExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
+ExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
+ExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
+
+DynamicUser=true
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectoryMode=700
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@obsolete
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file