Mode sandboxing using systemd's features

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index 435c5da6593eae6d28f57575087009f02751fd54..f64f1a9f04bc03b015be13b2b4d57adc07ac6b7c 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -9,21 +9,30 @@ After=network-online.target
 ExecStartPre=@bindir@/dnsdist --check-config
 # Note: when editing the ExecStart command, keep --supervised and --disable-syslog
 ExecStart=@bindir@/dnsdist --supervised --disable-syslog
-
 Type=notify
 Restart=on-failure
 RestartSec=2
 TimeoutStopSec=5
 StartLimitInterval=0
-PrivateTmp=true
-PrivateDevices=true
+
+# Tuning
+LimitNOFILE=16384
+TasksMax=8192
+
+# Sandboxing
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
+LockPersonality=true
 NoNewPrivileges=true
-ProtectSystem=full
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-LimitNOFILE=16384
-TasksMax=8192
+RestrictNamespaces=true
+RestrictRealtime=true
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index e9bad4f01e0b2bfcd84f00c93134f53f2e457f84..928ec466435e2c0d358a9b80f343c40febbecc5e 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -6,20 +6,25 @@ Wants=network-online.target
 After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service
 
 [Service]
-Type=notify
 ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+Type=notify
 Restart=on-failure
 RestartSec=1
 StartLimitInterval=0
-PrivateTmp=true
-PrivateDevices=true
+
+# Sandboxing
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
-NoNewPrivileges=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 # ProtectSystem=full will disallow write access to /etc and /usr, possibly
 # not being able to write slaved-zones into sqlite3 or zonefiles.
 ProtectSystem=full
-ProtectHome=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
index 4c0d61bf03ebd6abdc39221f849787df6e852b9e..8855acaee817e460368c563bcc9941b98bb9164c 100644 (file)
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -7,18 +7,28 @@ Before=nss-lookup.target
 After=network-online.target
 
 [Service]
-Type=notify
 ExecStart=@sbindir@/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no
+Type=notify
 Restart=on-failure
 StartLimitInterval=0
-PrivateTmp=true
-PrivateDevices=true
+
+# Tuning
+LimitNOFILE=16384
+
+# Sandboxing
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
+LockPersonality=true
 NoNewPrivileges=true
-ProtectSystem=full
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-LimitNOFILE=4200
+RestrictNamespaces=true
+RestrictRealtime=true
 
 [Install]
 WantedBy=multi-user.target