MINOR: systemd: Add SystemD's Protect*= options to the unit file

While the haproxy workers usually are running chrooted the master
process is not. This patch is a pretty safe defense in depth measure
to ensure haproxy cannot touch sensitive parts of the file system.

ProtectSystem takes non-boolean arguments in newer SystemD versions,
but setting those would leave older systems such as Ubuntu Xenial
unprotected. Distro maintainers and system administrators could
adapt the ProtectSystem value to the SystemD version they ship.

diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 5d8eecf06bfb190f93c95391a5eee913e4897316..846bcc77f5eaa2b0851883c587ae2585a3a16c44 100644 (file)
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in
@@ -18,5 +18,15 @@ Type=notify
 # reduced performance. See systemd.service(5) and systemd.exec(5) for further
 # information.
 
+# NoNewPrivileges=true
+# ProtectHome=true
+# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
+# any state files and any other files written using 'ReadWritePaths' or
+# 'RuntimeDirectory'.
+# ProtectSystem=true
+# ProtectKernelTunables=true
+# ProtectKernelModules=true
+# ProtectControlGroups=true
+
 [Install]
 WantedBy=multi-user.target