systemd service: lock down IPC

diff --git a/m4/systemd.m4 b/m4/systemd.m4
index 2fff4c3001bf45841467d8a872eb3fdd537b08d0..faa53589ca9d931f15609c3f9f20a65be1bb2f79 100644 (file)
--- a/m4/systemd.m4
+++ b/m4/systemd.m4
@@ -196,6 +196,9 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [
               if test $_systemd_version -ge 247; then
                  systemd_protect_proc=y
               fi
+              if test $_systemd_version -ge 248; then
+                 systemd_private_ipc=y
+              fi
           ])
         ])
         AM_CONDITIONAL([HAVE_SYSTEMD_DYNAMIC_USER], [ test x"$systemd_dynamic_user" = "xy" ])
@@ -203,6 +206,7 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [
         AM_CONDITIONAL([HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE], [ test x"$systemd_memory_deny_write_execute" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PERCENT_T], [ test x"$systemd_percent_t" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_DEVICES], [ test x"$systemd_private_devices" = "xy" ])
+        AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_IPC], [ test x"$systemd_private_ipc" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_MOUNTS], [ test x"$systemd_private_mounts" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_TMP], [ test x"$systemd_private_tmp" = "xy" ])
         AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_USERS], [ test x"$systemd_private_users" = "xy" ])

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 0e02e4efbbf6f77be80e2c9f6672b47ff5b24c25..b12c11802a82f67f85f11cded57e6b7a3daf318c 100644 (file)
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1799,6 +1799,12 @@ endif
 if !HAVE_SYSTEMD_PROTECT_PROC
        $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif
+if !HAVE_SYSTEMD_PRIVATE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
+endif
+if !HAVE_SYSTEMD_REMOVE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@
+endif
 
 pdns@.service: pdns.service
        $(AM_V_GEN)sed -e 's!/pdns_server!& --config-name=%i!' \
@@ -1885,6 +1891,12 @@ endif
 if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
        $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
 endif
+if !HAVE_SYSTEMD_PRIVATE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
+endif
+if !HAVE_SYSTEMD_REMOVE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@
+endif
 
 ixfrdist@.service: ixfrdist.service
        $(AM_V_GEN)sed -e 's!/ixfrdist!& --config $(sysconfdir)/ixfrdist-%i.yml!' \

diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am
index 820cd93a899af3cc253b866f1bd12b1a6b63bbfe..43d5cc16591380a05360670444f0e01fd1958c5f 100644 (file)
--- a/pdns/dnsdistdist/Makefile.am
+++ b/pdns/dnsdistdist/Makefile.am
@@ -545,6 +545,12 @@ endif
 if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
        $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
 endif
+if !HAVE_SYSTEMD_PRIVATE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
+endif
+if !HAVE_SYSTEMD_REMOVE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@
+endif
 
 dnsdist@.service: dnsdist.service
        $(AM_V_GEN)sed -e 's!/dnsdist !&--config $(sysconfdir)/dnsdist-%i.conf !' \

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index 65acb73aa25c0b578b5ec1902320f440cc64399b..07752a3fc54c542a86ad36c73940340a3cc94cbd 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -52,6 +52,8 @@ SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
 MemoryDenyWriteExecute=true
+PrivateIPC=true
+RemoveIPC=true
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in
index 76d0cdd01af0fcb8cd88f20c5cc327264c14a3ad..a30ebced0784f0246a664cf99b26d2b09364bb35 100644 (file)
--- a/pdns/ixfrdist.service.in
+++ b/pdns/ixfrdist.service.in
@@ -36,6 +36,8 @@ SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
 MemoryDenyWriteExecute=true
+PrivateIPC=true
+RemoveIPC=true
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index 27e5701d915225d800dc52724d8c161b3f4f22a0..1a0618c31fc9e2866a082d48f30ba2e905aa8fec 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -42,6 +42,8 @@ SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
 MemoryDenyWriteExecute=true
+PrivateIPC=true
+RemoveIPC=true
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
index 3bae24e3ae55372494a924c96cedf6d4d355fbdf..cde922ed8fcfbcd2cf892d4bc22d24c843cd9f0c 100644 (file)
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -627,6 +627,12 @@ endif
 if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
        $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
 endif
+if !HAVE_SYSTEMD_PRIVATE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
+endif
+if !HAVE_SYSTEMD_REMOVE_IPC
+       $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@
+endif
 
 pdns-recursor@.service: pdns-recursor.service
        $(AM_V_GEN)sed -e 's!/pdns_recursor!& --config-name=%i!' \

diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
index 3062e83f658b73fdb0a23bb7ca66e9f1ebd5e1f1..ab7a07d55865a4b6d102392650695cb99456ef79 100644 (file)
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -43,6 +43,8 @@ SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
 MemoryDenyWriteExecute=true
+PrivateIPC=true
+RemoveIPC=true
 
 [Install]
 WantedBy=multi-user.target