From 77a8401fda2fd6f5031404cfde282fa892cd8242 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Fri, 3 Dec 2021 13:04:57 +0100 Subject: [PATCH] systemd service: lock down IPC --- m4/systemd.m4 | 4 ++++ pdns/Makefile.am | 12 ++++++++++++ pdns/dnsdistdist/Makefile.am | 6 ++++++ pdns/dnsdistdist/dnsdist.service.in | 2 ++ pdns/ixfrdist.service.in | 2 ++ pdns/pdns.service.in | 2 ++ pdns/recursordist/Makefile.am | 6 ++++++ pdns/recursordist/pdns-recursor.service.in | 2 ++ 8 files changed, 36 insertions(+) diff --git a/m4/systemd.m4 b/m4/systemd.m4 index 2fff4c3001..faa53589ca 100644 --- a/m4/systemd.m4 +++ b/m4/systemd.m4 @@ -196,6 +196,9 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [ if test $_systemd_version -ge 247; then systemd_protect_proc=y fi + if test $_systemd_version -ge 248; then + systemd_private_ipc=y + fi ]) ]) AM_CONDITIONAL([HAVE_SYSTEMD_DYNAMIC_USER], [ test x"$systemd_dynamic_user" = "xy" ]) @@ -203,6 +206,7 @@ AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [ AM_CONDITIONAL([HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE], [ test x"$systemd_memory_deny_write_execute" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PERCENT_T], [ test x"$systemd_percent_t" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_DEVICES], [ test x"$systemd_private_devices" = "xy" ]) + AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_IPC], [ test x"$systemd_private_ipc" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_MOUNTS], [ test x"$systemd_private_mounts" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_TMP], [ test x"$systemd_private_tmp" = "xy" ]) AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_USERS], [ test x"$systemd_private_users" = "xy" ]) diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 0e02e4efbb..b12c11802a 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -1799,6 +1799,12 @@ endif if !HAVE_SYSTEMD_PROTECT_PROC $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ endif +if !HAVE_SYSTEMD_PRIVATE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ +endif +if !HAVE_SYSTEMD_REMOVE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@ +endif pdns@.service: pdns.service $(AM_V_GEN)sed -e 's!/pdns_server!& --config-name=%i!' \ @@ -1885,6 +1891,12 @@ endif if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ endif +if !HAVE_SYSTEMD_PRIVATE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ +endif +if !HAVE_SYSTEMD_REMOVE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@ +endif ixfrdist@.service: ixfrdist.service $(AM_V_GEN)sed -e 's!/ixfrdist!& --config $(sysconfdir)/ixfrdist-%i.yml!' \ diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index 820cd93a89..43d5cc1659 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -545,6 +545,12 @@ endif if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ endif +if !HAVE_SYSTEMD_PRIVATE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ +endif +if !HAVE_SYSTEMD_REMOVE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@ +endif dnsdist@.service: dnsdist.service $(AM_V_GEN)sed -e 's!/dnsdist !&--config $(sysconfdir)/dnsdist-%i.conf !' \ diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 65acb73aa2..07752a3fc5 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -52,6 +52,8 @@ SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible MemoryDenyWriteExecute=true +PrivateIPC=true +RemoveIPC=true [Install] WantedBy=multi-user.target diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in index 76d0cdd01a..a30ebced07 100644 --- a/pdns/ixfrdist.service.in +++ b/pdns/ixfrdist.service.in @@ -36,6 +36,8 @@ SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible MemoryDenyWriteExecute=true +PrivateIPC=true +RemoveIPC=true [Install] WantedBy=multi-user.target diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in index 27e5701d91..1a0618c31f 100644 --- a/pdns/pdns.service.in +++ b/pdns/pdns.service.in @@ -42,6 +42,8 @@ SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible MemoryDenyWriteExecute=true +PrivateIPC=true +RemoveIPC=true [Install] WantedBy=multi-user.target diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index 3bae24e3ae..cde922ed8f 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -627,6 +627,12 @@ endif if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ endif +if !HAVE_SYSTEMD_PRIVATE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ +endif +if !HAVE_SYSTEMD_REMOVE_IPC + $(AM_V_GEN)perl -ni -e 'print unless /^RemoveIPC/' $@ +endif pdns-recursor@.service: pdns-recursor.service $(AM_V_GEN)sed -e 's!/pdns_recursor!& --config-name=%i!' \ diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in index 3062e83f65..ab7a07d558 100644 --- a/pdns/recursordist/pdns-recursor.service.in +++ b/pdns/recursordist/pdns-recursor.service.in @@ -43,6 +43,8 @@ SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible MemoryDenyWriteExecute=true +PrivateIPC=true +RemoveIPC=true [Install] WantedBy=multi-user.target -- 2.47.2