From: Remi Gacogne Date: Tue, 29 Nov 2022 15:10:57 +0000 (+0100) Subject: systemd service: Only enable MemoryDenyWriteExecute for ixfrdist X-Git-Tag: dnsdist-1.8.0-rc1~188^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11065%2Fhead;p=thirdparty%2Fpdns.git systemd service: Only enable MemoryDenyWriteExecute for ixfrdist Because it does not play well with LuaJIT, which all other products use. --- diff --git a/pdns/Makefile.am b/pdns/Makefile.am index b12c11802a..4fea89c11c 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -1793,9 +1793,6 @@ endif if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@ endif -if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE - $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ -endif if !HAVE_SYSTEMD_PROTECT_PROC $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ endif diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index 43d5cc1659..c3ed1f1580 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -542,9 +542,6 @@ endif if !HAVE_SYSTEMD_PROTECT_PROC $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ endif -if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE - $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ -endif if !HAVE_SYSTEMD_PRIVATE_IPC $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ endif diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 73d78fd028..eb75e7632a 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -51,10 +51,11 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in index b69618abe3..a1b07220a3 100644 --- a/pdns/ixfrdist.service.in +++ b/pdns/ixfrdist.service.in @@ -35,10 +35,10 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in index d073ec3d5e..1d23347b4d 100644 --- a/pdns/pdns.service.in +++ b/pdns/pdns.service.in @@ -41,10 +41,11 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index cde922ed8f..629976e0d1 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -624,9 +624,6 @@ endif if !HAVE_SYSTEMD_PROTECT_PROC $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ endif -if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE - $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ -endif if !HAVE_SYSTEMD_PRIVATE_IPC $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ endif diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in index dc88bbfda7..ddb9236720 100644 --- a/pdns/recursordist/pdns-recursor.service.in +++ b/pdns/recursordist/pdns-recursor.service.in @@ -42,10 +42,11 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target