systemd service: disallow access to devices (except, zero, full, null, random, urandom)

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index 07752a3fc54c542a86ad36c73940340a3cc94cbd..73d78fd02869576a8295126ccc83897ab8bcc1d1 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -54,6 +54,7 @@ ProtectProc=invisible
 MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
+DevicePolicy=closed
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in
index a30ebced0784f0246a664cf99b26d2b09364bb35..b69618abe386c2302ec88fa8c992271ba23aae39 100644 (file)
--- a/pdns/ixfrdist.service.in
+++ b/pdns/ixfrdist.service.in
@@ -38,6 +38,7 @@ ProtectProc=invisible
 MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
+DevicePolicy=closed
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index 1a0618c31fc9e2866a082d48f30ba2e905aa8fec..d073ec3d5eb3f728edc35d9672291bafb0b86898 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -44,6 +44,7 @@ ProtectProc=invisible
 MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
+DevicePolicy=closed
 
 [Install]
 WantedBy=multi-user.target

diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
index ab7a07d55865a4b6d102392650695cb99456ef79..dc88bbfda706a60fbbbc85b2f7abceec090da191 100644 (file)
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -45,6 +45,7 @@ ProtectProc=invisible
 MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
+DevicePolicy=closed
 
 [Install]
 WantedBy=multi-user.target