Use more of systemd's sandboxing options when available

diff --git a/m4/systemd.m4 b/m4/systemd.m4
index 77919fcd234a13b6c65fa826e1c66fe266d8156f..f0b2a06df425ed116dd66fee05a8ed2ee0da6736 100644 (file)
--- a/m4/systemd.m4
+++ b/m4/systemd.m4
@@ -174,16 +174,33 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [
                  # @aio, @sync, @chown, @setuid, @memlock, @signal and @timer in 235
                  systemd_system_call_filter=y
               fi
+              if test $_systemd_version -ge 239; then
+                 systemd_private_mounts=y
+              fi
+              if test $_systemd_version -ge 242; then
+                 systemd_protect_hostname=y
+                 systemd_restrict_suidsgid=y
+              fi
+              if test $_systemd_version -ge 244; then
+                 systemd_protect_kernel_logs=y
+              fi
+              if test $_systemd_version -ge 245; then
+                 systemd_protect_clock=y
+              fi
           ])
         ])
         AM_CONDITIONAL([HAVE_SYSTEMD_DYNAMIC_USER], [ test x"$systemd_dynamic_user" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_LOCK_PERSONALITY], [ test x"$systemd_lock_personality" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE], [ test x"$systemd_memory_deny_write_execute" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_DEVICES], [ test x"$systemd_private_devices" = "xy" ])
+        AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_MOUNTS], [ test x"$systemd_private_mounts" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_TMP], [ test x"$systemd_private_tmp" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_USERS], [ test x"$systemd_private_users" = "xy" ])
+        AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_CLOCK], [ test x"$systemd_protect_clock" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS], [ test x"$systemd_protect_control_groups" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_HOME], [ test x"$systemd_protect_home" = "xy" ])
+        AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_HOSTNAME], [ test x"$systemd_protect_hostname" = "xy" ])
+        AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_LOGS], [ test x"$systemd_protect_kernel_logs" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_MODULES], [ test x"$systemd_protect_kernel_modules" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES], [ test x"$systemd_protect_kernel_tunables" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM], [ test x"$systemd_protect_system" = "xy" ])

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 524110a07be8a0035da66cc314e16456fd9b19b5..fdff8b5df539162c717c4a67619ae4532b16a95c 100644 (file)
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1577,12 +1577,24 @@ endif
 if !HAVE_SYSTEMD_PRIVATE_TMP
        $(AM_V_GEN)perl -ni -e 'print unless /^PrivateTmp/' $@
 endif
+if !HAVE_SYSTEMD_PRIVATE_USERS
+       $(AM_V_GEN)perl -ni -e 'print unless /^PrivateUsers/' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_CLOCK
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectClock/' $@
+endif
 if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectControlGroups/' $@
 endif
 if !HAVE_SYSTEMD_PROTECT_HOME
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectHome/' $@
 endif
+if !HAVE_SYSTEMD_PROTECT_HOSTNAME
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectHostname/' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_LOGS
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectKernelLogs/' $@
+endif
 if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectKernelModules/' $@
 endif
@@ -1601,6 +1613,9 @@ endif
 if !HAVE_SYSTEMD_RESTRICT_REALTIME
        $(AM_V_GEN)perl -ni -e 'print unless /^RestrictRealtime/' $@
 endif
+if !HAVE_SYSTEMD_RESTRICT_SUIDSGID
+       $(AM_V_GEN)perl -ni -e 'print unless /^RestrictSUIDSGID/' $@
+endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES
        $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallArchitectures/' $@
 endif

diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am
index e8175a567570f0a7f28edaad577c7af31d8b9d7a..16564c7fc2615e44974b10d6b0298965827766eb 100644 (file)
--- a/pdns/dnsdistdist/Makefile.am
+++ b/pdns/dnsdistdist/Makefile.am
@@ -436,12 +436,24 @@ endif
 if !HAVE_SYSTEMD_PRIVATE_TMP
        $(AM_V_GEN)perl -ni -e 'print unless /^PrivateTmp/' $@
 endif
+if !HAVE_SYSTEMD_PRIVATE_USERS
+       $(AM_V_GEN)perl -ni -e 'print unless /^PrivateUsers/' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_CLOCK
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectClock/' $@
+endif
 if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectControlGroups/' $@
 endif
 if !HAVE_SYSTEMD_PROTECT_HOME
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectHome/' $@
 endif
+if !HAVE_SYSTEMD_PROTECT_HOSTNAME
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectHostname/' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_LOGS
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectKernelLogs/' $@
+endif
 if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectKernelModules/' $@
 endif
@@ -460,6 +472,9 @@ endif
 if !HAVE_SYSTEMD_RESTRICT_REALTIME
        $(AM_V_GEN)perl -ni -e 'print unless /^RestrictRealtime/' $@
 endif
+if !HAVE_SYSTEMD_RESTRICT_SUIDSGID
+       $(AM_V_GEN)perl -ni -e 'print unless /^RestrictSUIDSGID/' $@
+endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES
        $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallArchitectures/' $@
 endif

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index c96c37c168ee21283dccb3f34af0dec2fcff33bf..867963058413f1083caf4e601ed3808cf334db81 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -28,14 +28,20 @@ LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
+# Setting PrivateUsers=true prevents us from opening our sockets
+PrivateUsers=true
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=full
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=true
 RestrictRealtime=true
+RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index 1ce670228ab1eb346d927c62480e7c5d04e0ccc1..3b3ee686fee165915a7692310f91ff26da1f1815 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -22,8 +22,12 @@ LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
+# Setting PrivateUsers=true prevents us from opening our sockets
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 # ProtectSystem=full will disallow write access to /etc and /usr, possibly
@@ -32,6 +36,7 @@ ProtectSystem=full
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=true
 RestrictRealtime=true
+RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 

diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
index 657ea7eec6bcb4f35d98d99d675195018d60e2a5..caab044e8b6f0381b81834cc4b9a8c23861395e7 100644 (file)
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -514,12 +514,24 @@ endif
 if !HAVE_SYSTEMD_PRIVATE_TMP
        $(AM_V_GEN)perl -ni -e 'print unless /^PrivateTmp/' $@
 endif
+if !HAVE_SYSTEMD_PRIVATE_USERS
+       $(AM_V_GEN)perl -ni -e 'print unless /^PrivateUsers/' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_CLOCK
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectClock/' $@
+endif
 if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectControlGroups/' $@
 endif
 if !HAVE_SYSTEMD_PROTECT_HOME
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectHome/' $@
 endif
+if !HAVE_SYSTEMD_PROTECT_HOSTNAME
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectHostname/' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_LOGS
+       $(AM_V_GEN)perl -ni -e 'print unless /^ProtectKernelLogs/' $@
+endif
 if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectKernelModules/' $@
 endif
@@ -538,6 +550,9 @@ endif
 if !HAVE_SYSTEMD_RESTRICT_REALTIME
        $(AM_V_GEN)perl -ni -e 'print unless /^RestrictRealtime/' $@
 endif
+if !HAVE_SYSTEMD_RESTRICT_SUIDSGID
+       $(AM_V_GEN)perl -ni -e 'print unless /^RestrictSUIDSGID/' $@
+endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES
        $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallArchitectures/' $@
 endif

diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
index b17cb59ef3c74867687e6b7524c22fa951eac825..8707d567a16301a45e21fdcbba8305800a300cc4 100644 (file)
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -25,14 +25,19 @@ LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
+# Setting PrivateUsers=true prevents us from opening our sockets
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=full
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=true
 RestrictRealtime=true
+RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete