From: Pieter Lexis Date: Fri, 3 Dec 2021 09:37:46 +0000 (+0100) Subject: service files: Add ProtectProc X-Git-Tag: dnsdist-1.8.0-rc1~188^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a0c3b6812769bc4653e8e04166687ef4a04b20e;p=thirdparty%2Fpdns.git service files: Add ProtectProc Another sandboxing option, [ProtectProc](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=) hides all /proc/ that are not owned by the service user and hides some kernel things from /proc as well. --- diff --git a/m4/systemd.m4 b/m4/systemd.m4 index 66dc62cdeb..2fff4c3001 100644 --- a/m4/systemd.m4 +++ b/m4/systemd.m4 @@ -193,6 +193,9 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [ if test $_systemd_version -ge 245; then systemd_protect_clock=y fi + if test $_systemd_version -ge 247; then + systemd_protect_proc=y + fi ]) ]) AM_CONDITIONAL([HAVE_SYSTEMD_DYNAMIC_USER], [ test x"$systemd_dynamic_user" = "xy" ]) @@ -210,6 +213,7 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [ AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_LOGS], [ test x"$systemd_protect_kernel_logs" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_MODULES], [ test x"$systemd_protect_kernel_modules" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES], [ test x"$systemd_protect_kernel_tunables" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_PROC], [ test x"$systemd_protect_proc" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM], [ test x"$systemd_protect_system" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM_STRICT], [ test x"$systemd_protect_system_strict" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_REMOVE_IPC], [ test x"$systemd_remove_ipc" = "xy" ]) diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 385d3bae16..9022aef3b1 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -1793,6 +1793,9 @@ endif if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@ endif +if !HAVE_SYSTEMD_PROTECT_PROC + $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ +endif pdns@.service: pdns.service $(AM_V_GEN)sed -e 's!/pdns_server!& --config-name=%i!' \ @@ -1873,6 +1876,9 @@ endif if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@ endif +if !HAVE_SYSTEMD_PROTECT_PROC + $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ +endif ixfrdist@.service: ixfrdist.service $(AM_V_GEN)sed -e 's!/ixfrdist!& --config $(sysconfdir)/ixfrdist-%i.yml!' \ diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index 97ca86feca..bb86e2651d 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -539,6 +539,9 @@ endif if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@ endif +if !HAVE_SYSTEMD_PROTECT_PROC + $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ +endif dnsdist@.service: dnsdist.service $(AM_V_GEN)sed -e 's!/dnsdist !&--config $(sysconfdir)/dnsdist-%i.conf !' \ diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 651f9b32dc..3ad9def6e8 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -50,6 +50,7 @@ RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible [Install] WantedBy=multi-user.target diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in index 7aeab51389..2de29d500c 100644 --- a/pdns/ixfrdist.service.in +++ b/pdns/ixfrdist.service.in @@ -34,6 +34,7 @@ RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible [Install] WantedBy=multi-user.target diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in index 368348ebdc..811705e5d0 100644 --- a/pdns/pdns.service.in +++ b/pdns/pdns.service.in @@ -40,6 +40,7 @@ RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible [Install] WantedBy=multi-user.target diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index 48f89b0c39..023b05e2dd 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -621,6 +621,9 @@ endif if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@ endif +if !HAVE_SYSTEMD_PROTECT_PROC + $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ +endif pdns-recursor@.service: pdns-recursor.service $(AM_V_GEN)sed -e 's!/pdns_recursor!& --config-name=%i!' \ diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in index 1ca38203cb..625f827bb8 100644 --- a/pdns/recursordist/pdns-recursor.service.in +++ b/pdns/recursordist/pdns-recursor.service.in @@ -41,6 +41,7 @@ RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible [Install] WantedBy=multi-user.target