From: Vincent Bernat Date: Sun, 1 Jan 2017 07:24:38 +0000 (+0100) Subject: daemon: suggests additional sandboxing with systemd X-Git-Tag: 0.9.6~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16a54f531366445bc4490fb7428a5cb3fb357430;p=thirdparty%2Flldpd.git daemon: suggests additional sandboxing with systemd This is only suggested because they are not supported by all systemd versions (and may therefore emit warnings). See: - https://lwn.net/Articles/709764/ - https://lwn.net/Articles/709350/ --- diff --git a/edit.am b/edit.am index fcff7fb9..56c23256 100644 --- a/edit.am +++ b/edit.am @@ -9,6 +9,7 @@ edit = $(SED) \ -e 's|@includedir[@]|$(includedir)|g' \ -e 's|@exec_prefix[@]|$(exec_prefix)|g' \ -e 's|@prefix[@]|$(prefix)|g' \ + -e 's|@MKDIR_P[@]|$(MKDIR_P)|g' \ -e 's|@VERSION[@]|$(VERSION)|g' \ -e 's|@PACKAGE[@]|$(PACKAGE)|g' \ -e 's|@PACKAGE_NAME[@]|$(PACKAGE_NAME)|g' \ @@ -21,4 +22,4 @@ edit = $(SED) \ -e 's|@PRIVSEP_CHROOT[@]|$(PRIVSEP_CHROOT)|g' $(TEMPLATES): Makefile - $(AM_V_GEN)mkdir -p $(@D) && $(edit) $(srcdir)/$@.in > $@.tmp && mv $@.tmp $@ + $(AM_V_GEN)$(MKDIR_P) $(@D) && $(edit) $(srcdir)/$@.in > $@.tmp && mv $@.tmp $@ diff --git a/src/daemon/lldpd.service.in b/src/daemon/lldpd.service.in index 9e6d33af..b88a47ec 100644 --- a/src/daemon/lldpd.service.in +++ b/src/daemon/lldpd.service.in @@ -9,8 +9,22 @@ Type=notify NotifyAccess=main EnvironmentFile=-/etc/default/lldpd EnvironmentFile=-/etc/sysconfig/lldpd +ExecStartPre=@MKDIR_P@ @PRIVSEP_CHROOT@ ExecStart=@sbindir@/lldpd $DAEMON_ARGS $LLDPD_OPTIONS Restart=on-failure +PrivateTmp=yes +# systemd >= 211 +#RestrictAddressFamilies=AF_INET AF_INET6 AF_PACKET AF_NETLINK AF_UNIX +# systemd >= 214 +#ProtectHome=yes +#ProtectSystem=yes +# systemd >= 231 +#ReadWritePaths=@PRIVSEP_CHROOT@ +# systemd >= 232 +#ProtectSystem=strict +#ProtectKernelTunables=yes +#ProtectControlGroups=yes +#ProtectKernelModules=yes [Install] WantedBy=multi-user.target