daemon: suggests additional sandboxing with systemd

This is only suggested because they are not supported by all systemd
versions (and may therefore emit warnings).

See:
 - https://lwn.net/Articles/709764/
 - https://lwn.net/Articles/709350/

diff --git a/edit.am b/edit.am
index fcff7fb934af8777650366d43107000fcb157357..56c232566998c2eee376ce58e0580003e291d1dc 100644 (file)
--- a/edit.am
+++ b/edit.am
@@ -9,6 +9,7 @@ edit = $(SED) \
         -e 's|@includedir[@]|$(includedir)|g' \
         -e 's|@exec_prefix[@]|$(exec_prefix)|g' \
         -e 's|@prefix[@]|$(prefix)|g' \
+        -e 's|@MKDIR_P[@]|$(MKDIR_P)|g' \
         -e 's|@VERSION[@]|$(VERSION)|g' \
         -e 's|@PACKAGE[@]|$(PACKAGE)|g' \
         -e 's|@PACKAGE_NAME[@]|$(PACKAGE_NAME)|g' \
@@ -21,4 +22,4 @@ edit = $(SED) \
         -e 's|@PRIVSEP_CHROOT[@]|$(PRIVSEP_CHROOT)|g'
 
 $(TEMPLATES): Makefile
-       $(AM_V_GEN)mkdir -p $(@D) && $(edit) $(srcdir)/$@.in > $@.tmp && mv $@.tmp $@
+       $(AM_V_GEN)$(MKDIR_P) $(@D) && $(edit) $(srcdir)/$@.in > $@.tmp && mv $@.tmp $@

diff --git a/src/daemon/lldpd.service.in b/src/daemon/lldpd.service.in
index 9e6d33af65d3627656e8cc714fed6b677253bbdc..b88a47ec4db4224c10fb6de89dffb5e3c9e580f6 100644 (file)
--- a/src/daemon/lldpd.service.in
+++ b/src/daemon/lldpd.service.in
@@ -9,8 +9,22 @@ Type=notify
 NotifyAccess=main
 EnvironmentFile=-/etc/default/lldpd
 EnvironmentFile=-/etc/sysconfig/lldpd
+ExecStartPre=@MKDIR_P@ @PRIVSEP_CHROOT@
 ExecStart=@sbindir@/lldpd $DAEMON_ARGS $LLDPD_OPTIONS
 Restart=on-failure
+PrivateTmp=yes
+# systemd >= 211
+#RestrictAddressFamilies=AF_INET AF_INET6 AF_PACKET AF_NETLINK AF_UNIX
+# systemd >= 214
+#ProtectHome=yes
+#ProtectSystem=yes
+# systemd >= 231
+#ReadWritePaths=@PRIVSEP_CHROOT@
+# systemd >= 232
+#ProtectSystem=strict
+#ProtectKernelTunables=yes
+#ProtectControlGroups=yes
+#ProtectKernelModules=yes
 
 [Install]
 WantedBy=multi-user.target