Add more restrictions to pdns systemd unit file

author Ruben Kerkhof <ruben@rubenkerkhof.com>

Thu, 19 Feb 2015 19:46:51 +0000 (20:46 +0100)

committer Ruben Kerkhof <ruben@rubenkerkhof.com>

Thu, 19 Feb 2015 19:46:51 +0000 (20:46 +0100)
author Ruben Kerkhof <ruben@rubenkerkhof.com>
Thu, 19 Feb 2015 19:46:51 +0000 (20:46 +0100)
committer Ruben Kerkhof <ruben@rubenkerkhof.com>
Thu, 19 Feb 2015 19:46:51 +0000 (20:46 +0100)
diff --git a/contrib/systemd-pdns.service b/contrib/systemd-pdns.service

index 7ce47f45c0e6638ca0b9dc4f4cfa23d9f356294e..e5fac8012e2262c9e5c49309d25e0043eb9233ba 100644 (file)
--- a/contrib/systemd-pdns.service
+++ b/contrib/systemd-pdns.service
@@ -11,6 +11,12 @@ ExecStop=/usr/bin/pdns_control quit
  Restart=on-failure
  RestartSec=2
  PrivateTmp=true
+PrivateDevices=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
+NoNewPrivileges=true
+ProtectSystem=full
+ProtectHome=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  
  [Install]
  WantedBy=multi-user.target
author	Ruben Kerkhof <ruben@rubenkerkhof.com>
	Thu, 19 Feb 2015 19:46:51 +0000 (20:46 +0100)
committer	Ruben Kerkhof <ruben@rubenkerkhof.com>
	Thu, 19 Feb 2015 19:46:51 +0000 (20:46 +0100)