From: Remi Gacogne Date: Mon, 14 Jan 2019 10:53:34 +0000 (+0100) Subject: Detect the systemd version and enable sandboxing features accordingly X-Git-Tag: rec-4.2.0-alpha1~6^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a3dfb540327b42e5fc68c017d0416711031d8e8b;p=thirdparty%2Fpdns.git Detect the systemd version and enable sandboxing features accordingly --- diff --git a/configure.ac b/configure.ac index 259604bbd1..6f00864e54 100644 --- a/configure.ac +++ b/configure.ac @@ -270,6 +270,7 @@ for a in $dynmodules; do done AX_AVAILABLE_SYSTEMD +AX_CHECK_SYSTEMD_FEATURES AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ]) LDFLAGS="$RELRO_LDFLAGS $LDFLAGS" diff --git a/m4/systemd.m4 b/m4/systemd.m4 index ec2a195388..0e39e9f6a3 100644 --- a/m4/systemd.m4 +++ b/m4/systemd.m4 @@ -128,3 +128,66 @@ AC_DEFUN([AX_AVAILABLE_SYSTEMD], [ AX_CHECK_SYSTEMD_DETECT_AND_ENABLE() AX_CHECK_SYSTEMD() ]) + +AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [ + if test x"$systemd" = "xy"; then + _systemd_version=`systemctl --version|head -1 |cut -d" " -f 2` + if test $_systemd_version -ge 183; then + systemd_private_tmp=y + fi + if test $_systemd_version -ge 209; then + systemd_system_call_architectures=y + systemd_private_devices=y + fi + if test $_systemd_version -ge 211; then + systemd_restrict_address_families=y + fi + if test $_systemd_version -ge 214; then + systemd_protect_system=y + systemd_protect_home=y + fi + if test $_systemd_version -ge 231; then + systemd_restrict_realtime=y + systemd_memory_deny_write_execute=y + fi + if test $_systemd_version -ge 232; then + systemd_protect_control_groups=y + systemd_protect_kernel_modules=y + systemd_protect_kernel_tunables=y + systemd_remove_ipc=y + systemd_dynamic_user=y + systemd_private_users=y + systemd_protect_system_strict=y + fi + if test $_systemd_version -ge 233; then + systemd_restrict_namespaces=y + fi + if test $_systemd_version -ge 235; then + systemd_lock_personality=y + # while SystemCallFilter is technically available starting with 187, + # we use the pre-defined call filter sets that have been introduced later. + # Initial support for these landed in 231 + # @filesystem @reboot @swap in 233 + # @aio, @sync, @chown, @setuid, @memlock, @signal and @timer in 235 + systemd_system_call_filter=y + fi + fi + AM_CONDITIONAL([HAVE_SYSTEMD_DYNAMIC_USER], [ test x"$systemd_dynamic_user" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_LOCK_PERSONALITY], [ test x"$systemd_lock_personality" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE], [ test x"$systemd_memory_deny_write_execute" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_DEVICES], [ test x"$systemd_private_devices" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_TMP], [ test x"$systemd_private_tmp" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_USERS], [ test x"$systemd_private_users" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS], [ test x"$systemd_protect_control_groups" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_HOME], [ test x"$systemd_protect_home" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_MODULES], [ test x"$systemd_protect_kernel_modules" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES], [ test x"$systemd_protect_kernel_tunables" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM], [ test x"$systemd_protect_system" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM_STRICT], [ test x"$systemd_protect_system_strict" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_REMOVE_IPC], [ test x"$systemd_remove_ipc" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES], [ test x"$systemd_restrict_address_families" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_RESTRICT_NAMESPACES], [ test x"$systemd_restrict_namespaces" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_RESTRICT_REALTIME], [ test x"$systemd_restrict_realtime" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES], [ test x"$systemd_system_call_architectures" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_SYSTEM_CALL_FILTER], [ test x"$systemd_system_call_filter" = "xy" ]) +]) diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 73f73791dc..9f6d7351d1 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -1513,6 +1513,45 @@ dnsdist: if HAVE_SYSTEMD pdns.service: pdns.service.in $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@ +if !HAVE_SYSTEMD_LOCK_PERSONALITY + $(AM_V_GEN)sed -i '' -e '/^LockPersonality/d' $@ +endif +if !HAVE_SYSTEMD_PRIVATE_DEVICES + $(AM_V_GEN)sed -i '' -e '/^PrivateDevices/d' $@ +endif +if !HAVE_SYSTEMD_PRIVATE_TMP + $(AM_V_GEN)sed -i '' -e '/^PrivateTmp/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS + $(AM_V_GEN)sed -i '' -e '/^ProtectControlGroups/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_HOME + $(AM_V_GEN)sed -i '' -e '/^ProtectHome/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES + $(AM_V_GEN)sed -i '' -e '/^ProtectKernelModules/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES + $(AM_V_GEN)sed -i '' -e '/^ProtectKernelTunables/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_SYSTEM + $(AM_V_GEN)sed -i '' -e '/^ProtectSystem/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES + $(AM_V_GEN)sed -i '' -e '/^RestrictAddressFamilies/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_NAMESPACES + $(AM_V_GEN)sed -i '' -e '/^RestrictNamespaces/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_REALTIME + $(AM_V_GEN)sed -i '' -e '/^RestrictRealtime/d' $@ +endif +if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES + $(AM_V_GEN)sed -i '' -e '/^SystemCallArchitectures/d' $@ +endif +if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER + $(AM_V_GEN)sed -i '' -e '/^SystemCallFilter/d' $@ +endif pdns@.service: pdns.service $(AM_V_GEN)sed -e 's!/pdns_server!& --config-name=%i!' \ diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index 9f422a86cd..1f49403481 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -322,6 +322,45 @@ endif if HAVE_SYSTEMD dnsdist.service: dnsdist.service.in $(AM_V_GEN)sed -e 's![@]bindir[@]!$(bindir)!' < $< > $@ +if !HAVE_SYSTEMD_LOCK_PERSONALITY + $(AM_V_GEN)sed -i '' -e '/^LockPersonality/d' $@ +endif +if !HAVE_SYSTEMD_PRIVATE_DEVICES + $(AM_V_GEN)sed -i '' -e '/^PrivateDevices/d' $@ +endif +if !HAVE_SYSTEMD_PRIVATE_TMP + $(AM_V_GEN)sed -i '' -e '/^PrivateTmp/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS + $(AM_V_GEN)sed -i '' -e '/^ProtectControlGroups/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_HOME + $(AM_V_GEN)sed -i '' -e '/^ProtectHome/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES + $(AM_V_GEN)sed -i '' -e '/^ProtectKernelModules/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES + $(AM_V_GEN)sed -i '' -e '/^ProtectKernelTunables/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_SYSTEM + $(AM_V_GEN)sed -i '' -e '/^ProtectSystem/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES + $(AM_V_GEN)sed -i '' -e '/^RestrictAddressFamilies/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_NAMESPACES + $(AM_V_GEN)sed -i '' -e '/^RestrictNamespaces/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_REALTIME + $(AM_V_GEN)sed -i '' -e '/^RestrictRealtime/d' $@ +endif +if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES + $(AM_V_GEN)sed -i '' -e '/^SystemCallArchitectures/d' $@ +endif +if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER + $(AM_V_GEN)sed -i '' -e '/^SystemCallFilter/d' $@ +endif dnsdist@.service: dnsdist.service $(AM_V_GEN)sed -e 's!/dnsdist !&--config $(sysconfdir)/dnsdist-%i.conf !' < $< >$@ diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac index 6ee328f24d..1ed08b9999 100644 --- a/pdns/dnsdistdist/configure.ac +++ b/pdns/dnsdistdist/configure.ac @@ -43,6 +43,7 @@ PDNS_WITH_NET_SNMP PDNS_WITH_LIBCAP AX_AVAILABLE_SYSTEMD +AX_CHECK_SYSTEMD_FEATURES AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ]) AC_SUBST([YAHTTP_CFLAGS], ['-I$(top_srcdir)/ext/yahttp']) diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index f64f1a9f04..094ffe3ed4 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -33,6 +33,8 @@ ProtectSystem=full RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=true RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete [Install] WantedBy=multi-user.target diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in index 928ec46643..60a6e075ab 100644 --- a/pdns/pdns.service.in +++ b/pdns/pdns.service.in @@ -25,6 +25,8 @@ ProtectSystem=full RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=true RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete [Install] WantedBy=multi-user.target diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index 022cc6cb3f..51ad4489ba 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -446,6 +446,45 @@ endif if HAVE_SYSTEMD pdns-recursor.service: pdns-recursor.service.in $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@ +if !HAVE_SYSTEMD_LOCK_PERSONALITY + $(AM_V_GEN)sed -i '' -e '/^LockPersonality/d' $@ +endif +if !HAVE_SYSTEMD_PRIVATE_DEVICES + $(AM_V_GEN)sed -i '' -e '/^PrivateDevices/d' $@ +endif +if !HAVE_SYSTEMD_PRIVATE_TMP + $(AM_V_GEN)sed -i '' -e '/^PrivateTmp/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS + $(AM_V_GEN)sed -i '' -e '/^ProtectControlGroups/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_HOME + $(AM_V_GEN)sed -i '' -e '/^ProtectHome/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES + $(AM_V_GEN)sed -i '' -e '/^ProtectKernelModules/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES + $(AM_V_GEN)sed -i '' -e '/^ProtectKernelTunables/d' $@ +endif +if !HAVE_SYSTEMD_PROTECT_SYSTEM + $(AM_V_GEN)sed -i '' -e '/^ProtectSystem/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES + $(AM_V_GEN)sed -i '' -e '/^RestrictAddressFamilies/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_NAMESPACES + $(AM_V_GEN)sed -i '' -e '/^RestrictNamespaces/d' $@ +endif +if !HAVE_SYSTEMD_RESTRICT_REALTIME + $(AM_V_GEN)sed -i '' -e '/^RestrictRealtime/d' $@ +endif +if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES + $(AM_V_GEN)sed -i '' -e '/^SystemCallArchitectures/d' $@ +endif +if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER + $(AM_V_GEN)sed -i '' -e '/^SystemCallFilter/d' $@ +endif pdns-recursor@.service: pdns-recursor.service $(AM_V_GEN)sed -e 's!/pdns_recursor!& --config-name=%i!' \ diff --git a/pdns/recursordist/configure.ac b/pdns/recursordist/configure.ac index d3ceb2b2e7..155e837394 100644 --- a/pdns/recursordist/configure.ac +++ b/pdns/recursordist/configure.ac @@ -175,6 +175,7 @@ PDNS_ENABLE_SANITIZERS PDNS_ENABLE_MALLOC_TRACE PDNS_ENABLE_VALGRIND AX_AVAILABLE_SYSTEMD +AX_CHECK_SYSTEMD_FEATURES AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ]) PDNS_CHECK_VIRTUALENV diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in index 8855acaee8..357af43290 100644 --- a/pdns/recursordist/pdns-recursor.service.in +++ b/pdns/recursordist/pdns-recursor.service.in @@ -29,6 +29,8 @@ ProtectSystem=full RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=true RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete [Install] WantedBy=multi-user.target