xchpst (extended chpst) for Debian
----------------------------------

The xchpst package for debian enables runscripts provided for system
services to launch those service with hardening options not available
from the chpst tool normally used with runscripts. See the man page
xchpst(8) for details.

Runscripts that take advantage of xchpst features in Debian should ensure
that they terminate their use of extended options with the '-@' separator
to enable a fake version to invoke the classic 'chpst' tool with the
remainder of compatible options.

An example invocation within a runscript:

exec xchpst --scheduler=idle --cap-bs-keep=CAP_NET_BIND_SERVICE,CAP_NET_RAW \
  --new-root --ro-sys --private-tmp --protect-home --no-new-privs \
  -@ -n 19 -- /usr/sbin/radvd --nodaemon --username radvd \
  --logmethod stderr_clean --config /etc/radvd.conf

The following shell fragment is presented in the documentation to
demonstrate one way of achieving xchpst compat:

 /usr/share/doc/xchpst/xchpst-funcs.sh

The xchpst binary and man page are installed using the 'alternatives'
mechanism via the name 'xchpst.real' so that fake versions can be supplied
by another package at lower priority. See:

  update-alternatives --query xchpst