service files: Add ProtectProc

Another sandboxing option,
[ProtectProc](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=)
hides all /proc/<pid> that are not owned by the service user and hides
some kernel things from /proc as well.

diff --git a/m4/systemd.m4 b/m4/systemd.m4
index 66dc62cdeb80c390083f8e8eb73d52e92e6b45c6..2fff4c3001bf45841467d8a872eb3fdd537b08d0 100644 (file)
--- a/m4/systemd.m4
+++ b/m4/systemd.m4
@@ -193,6 +193,9 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [
               if test $_systemd_version -ge 245; then
                  systemd_protect_clock=y
               fi
+              if test $_systemd_version -ge 247; then
+                 systemd_protect_proc=y
+              fi
           ])
         ])
         AM_CONDITIONAL([HAVE_SYSTEMD_DYNAMIC_USER], [ test x"$systemd_dynamic_user" = "xy" ])
@@ -210,6 +213,7 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_LOGS], [ test x"$systemd_protect_kernel_logs" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_MODULES], [ test x"$systemd_protect_kernel_modules" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES], [ test x"$systemd_protect_kernel_tunables" = "xy" ])
+        AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_PROC], [ test x"$systemd_protect_proc" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM], [ test x"$systemd_protect_system" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM_STRICT], [ test x"$systemd_protect_system_strict" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_REMOVE_IPC], [ test x"$systemd_remove_ipc" = "xy" ])

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 385d3bae16b784489cd215d6de290e6717847706..9022aef3b1e760210a9eb09e8248fe3f224962b4 100644 (file)
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1793,6 +1793,9 @@ endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
        $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@
 endif
+if !HAVE_SYSTEMD_PROTECT_PROC
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
+endif
 
 pdns@.service: pdns.service
        $(AM_V_GEN)sed -e 's!/pdns_server!& --config-name=%i!' \
@@ -1873,6 +1876,9 @@ endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
        $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@
 endif
+if !HAVE_SYSTEMD_PROTECT_PROC
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
+endif
 
 ixfrdist@.service: ixfrdist.service
        $(AM_V_GEN)sed -e 's!/ixfrdist!& --config $(sysconfdir)/ixfrdist-%i.yml!' \

diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am
index 97ca86feca2239ce40eea815b259bafd8f9bec93..bb86e2651d2b9ab8341f29530bc223808d00a973 100644 (file)
--- a/pdns/dnsdistdist/Makefile.am
+++ b/pdns/dnsdistdist/Makefile.am
@@ -539,6 +539,9 @@ endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
        $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@
 endif
+if !HAVE_SYSTEMD_PROTECT_PROC
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
+endif
 
 dnsdist@.service: dnsdist.service
        $(AM_V_GEN)sed -e 's!/dnsdist !&--config $(sysconfdir)/dnsdist-%i.conf !' \

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index 651f9b32dc3f3bc3cdcb9ca436b3504361cab35d..3ad9def6e8e2bb17adb2ca9214b9a491206ed831 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -50,6 +50,7 @@ RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+ProtectProc=invisible
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in
index 7aeab5138904b0b770e30edcdfb0b3e134890e98..2de29d500c0383540d5eacfb7021bb487b7ef23d 100644 (file)
--- a/pdns/ixfrdist.service.in
+++ b/pdns/ixfrdist.service.in
@@ -34,6 +34,7 @@ RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+ProtectProc=invisible
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index 368348ebdc1f29789a4030ed3fe04331a79feecb..811705e5d0bcced4ecbc1fd28ace5efd24fbba48 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -40,6 +40,7 @@ RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+ProtectProc=invisible
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
index 48f89b0c39a2b0556dceaac7b3980a9e742aa639..023b05e2dd568b4b91fd15e1c676a3b6a2675ef2 100644 (file)
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -621,6 +621,9 @@ endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
        $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@
 endif
+if !HAVE_SYSTEMD_PROTECT_PROC
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
+endif
 
 pdns-recursor@.service: pdns-recursor.service
        $(AM_V_GEN)sed -e 's!/pdns_recursor!& --config-name=%i!' \

diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
index 1ca38203cba9ca757fd470eea5f3fce64ff38ccc..625f827bb8c66ba2fdecbf9329daf3ede876b077 100644 (file)
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -41,6 +41,7 @@ RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+ProtectProc=invisible
 
 [Install]
 WantedBy=multi-user.target