systemd service: Only enable MemoryDenyWriteExecute for ixfrdist

author Remi Gacogne <remi.gacogne@powerdns.com>

Tue, 29 Nov 2022 15:10:57 +0000 (16:10 +0100)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Wed, 7 Dec 2022 09:00:40 +0000 (10:00 +0100)
author Remi Gacogne <remi.gacogne@powerdns.com>
Tue, 29 Nov 2022 15:10:57 +0000 (16:10 +0100)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Wed, 7 Dec 2022 09:00:40 +0000 (10:00 +0100)
diff --git a/pdns/Makefile.am b/pdns/Makefile.am

index b12c11802a82f67f85f11cded57e6b7a3daf318c..4fea89c11c0ca2a16debafa35c8f63de5deab450 100644 (file)
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1793,9 +1793,6 @@ endif
  if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
         $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@
  endif
-if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
-       $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
-endif
  if !HAVE_SYSTEMD_PROTECT_PROC
         $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
  endif
diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am

index 43d5cc16591380a05360670444f0e01fd1958c5f..c3ed1f158072f97d3480d8a7b6a03275b83c246b 100644 (file)
--- a/pdns/dnsdistdist/Makefile.am
+++ b/pdns/dnsdistdist/Makefile.am
@@ -542,9 +542,6 @@ endif
  if !HAVE_SYSTEMD_PROTECT_PROC
         $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
  endif
-if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
-       $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
-endif
  if !HAVE_SYSTEMD_PRIVATE_IPC
         $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
  endif
diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in

index 73d78fd02869576a8295126ccc83897ab8bcc1d1..eb75e7632a511bd478340c2f8e0f6195c9b521a8 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -51,10 +51,11 @@ RestrictSUIDSGID=true
  SystemCallArchitectures=native
  SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
  ProtectProc=invisible
-MemoryDenyWriteExecute=true
  PrivateIPC=true
  RemoveIPC=true
  DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
  
  [Install]
  WantedBy=multi-user.target
diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in

index b69618abe386c2302ec88fa8c992271ba23aae39..a1b07220a3f1070cdda0f724f877401db9f37e07 100644 (file)
--- a/pdns/ixfrdist.service.in
+++ b/pdns/ixfrdist.service.in
@@ -35,10 +35,10 @@ RestrictSUIDSGID=true
  SystemCallArchitectures=native
  SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
  ProtectProc=invisible
-MemoryDenyWriteExecute=true
  PrivateIPC=true
  RemoveIPC=true
  DevicePolicy=closed
+MemoryDenyWriteExecute=true
  
  [Install]
  WantedBy=multi-user.target
diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in

index d073ec3d5eb3f728edc35d9672291bafb0b86898..1d23347b4d286654ebe7c5ef1daf66f19b7b28bb 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -41,10 +41,11 @@ RestrictSUIDSGID=true
  SystemCallArchitectures=native
  SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
  ProtectProc=invisible
-MemoryDenyWriteExecute=true
  PrivateIPC=true
  RemoveIPC=true
  DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
  
  [Install]
  WantedBy=multi-user.target
diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am

index cde922ed8fcfbcd2cf892d4bc22d24c843cd9f0c..629976e0d15aeb025b53172422ab19d2e81e8838 100644 (file)
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -624,9 +624,6 @@ endif
  if !HAVE_SYSTEMD_PROTECT_PROC
         $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
  endif
-if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
-       $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
-endif
  if !HAVE_SYSTEMD_PRIVATE_IPC
         $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
  endif
diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in

index dc88bbfda706a60fbbbc85b2f7abceec090da191..ddb92367201731aec337dd9c06409fea6bcb0fb8 100644 (file)
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -42,10 +42,11 @@ RestrictSUIDSGID=true
  SystemCallArchitectures=native
  SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
  ProtectProc=invisible
-MemoryDenyWriteExecute=true
  PrivateIPC=true
  RemoveIPC=true
  DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
  
  [Install]
  WantedBy=multi-user.target
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 29 Nov 2022 15:10:57 +0000 (16:10 +0100)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Wed, 7 Dec 2022 09:00:40 +0000 (10:00 +0100)
pdns/Makefile.am		patch \| blob \| blame \| history
pdns/dnsdistdist/Makefile.am		patch \| blob \| blame \| history
pdns/dnsdistdist/dnsdist.service.in		patch \| blob \| blame \| history
pdns/ixfrdist.service.in		patch \| blob \| blame \| history
pdns/pdns.service.in		patch \| blob \| blame \| history
pdns/recursordist/Makefile.am		patch \| blob \| blame \| history
pdns/recursordist/pdns-recursor.service.in		patch \| blob \| blame \| history