From: Remi Gacogne Date: Mon, 21 May 2018 08:41:47 +0000 (+0200) Subject: Mode sandboxing using systemd's features X-Git-Tag: rec-4.2.0-alpha1~6^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f4f86b16c2e4b1a49dc0be81c1332007c4287dc;p=thirdparty%2Fpdns.git Mode sandboxing using systemd's features --- diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 435c5da659..f64f1a9f04 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -9,21 +9,30 @@ After=network-online.target ExecStartPre=@bindir@/dnsdist --check-config # Note: when editing the ExecStart command, keep --supervised and --disable-syslog ExecStart=@bindir@/dnsdist --supervised --disable-syslog - Type=notify Restart=on-failure RestartSec=2 TimeoutStopSec=5 StartLimitInterval=0 -PrivateTmp=true -PrivateDevices=true + +# Tuning +LimitNOFILE=16384 +TasksMax=8192 + +# Sandboxing CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID +LockPersonality=true NoNewPrivileges=true -ProtectSystem=full +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -LimitNOFILE=16384 -TasksMax=8192 +RestrictNamespaces=true +RestrictRealtime=true [Install] WantedBy=multi-user.target diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in index e9bad4f01e..928ec46643 100644 --- a/pdns/pdns.service.in +++ b/pdns/pdns.service.in @@ -6,20 +6,25 @@ Wants=network-online.target After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service [Service] -Type=notify ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no +Type=notify Restart=on-failure RestartSec=1 StartLimitInterval=0 -PrivateTmp=true -PrivateDevices=true + +# Sandboxing CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT -NoNewPrivileges=true +LockPersonality=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true # ProtectSystem=full will disallow write access to /etc and /usr, possibly # not being able to write slaved-zones into sqlite3 or zonefiles. ProtectSystem=full -ProtectHome=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true [Install] WantedBy=multi-user.target diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in index 4c0d61bf03..8855acaee8 100644 --- a/pdns/recursordist/pdns-recursor.service.in +++ b/pdns/recursordist/pdns-recursor.service.in @@ -7,18 +7,28 @@ Before=nss-lookup.target After=network-online.target [Service] -Type=notify ExecStart=@sbindir@/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no +Type=notify Restart=on-failure StartLimitInterval=0 -PrivateTmp=true -PrivateDevices=true + +# Tuning +LimitNOFILE=16384 + +# Sandboxing CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT +LockPersonality=true NoNewPrivileges=true -ProtectSystem=full +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -LimitNOFILE=4200 +RestrictNamespaces=true +RestrictRealtime=true [Install] WantedBy=multi-user.target