From 846806cd645f1fd9f7f3ae828e9610ebc42bfa46 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 3 Dec 2021 11:01:00 +0100
Subject: [PATCH] service files: Add MemoryDenyWriteExecute

This disallows the services to write executable memory.
---
 pdns/Makefile.am                           | 6 ++++++
 pdns/dnsdistdist/Makefile.am               | 3 +++
 pdns/dnsdistdist/dnsdist.service.in        | 1 +
 pdns/ixfrdist.service.in                   | 1 +
 pdns/pdns.service.in                       | 1 +
 pdns/recursordist/Makefile.am              | 3 +++
 pdns/recursordist/pdns-recursor.service.in | 1 +
 7 files changed, 16 insertions(+)

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 9022aef3b1..0e02e4efbb 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1793,6 +1793,9 @@ endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
 	$(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@
 endif
+if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
+	$(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
+endif
 if !HAVE_SYSTEMD_PROTECT_PROC
 	$(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif
@@ -1879,6 +1882,9 @@ endif
 if !HAVE_SYSTEMD_PROTECT_PROC
 	$(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif
+if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
+	$(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
+endif
 
 ixfrdist@.service: ixfrdist.service
 	$(AM_V_GEN)sed -e 's!/ixfrdist!& --config $(sysconfdir)/ixfrdist-%i.yml!' \
diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am
index bb86e2651d..820cd93a89 100644
--- a/pdns/dnsdistdist/Makefile.am
+++ b/pdns/dnsdistdist/Makefile.am
@@ -542,6 +542,9 @@ endif
 if !HAVE_SYSTEMD_PROTECT_PROC
 	$(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif
+if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
+	$(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
+endif
 
 dnsdist@.service: dnsdist.service
 	$(AM_V_GEN)sed -e 's!/dnsdist !&--config $(sysconfdir)/dnsdist-%i.conf !' \
diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index 3ad9def6e8..65acb73aa2 100644
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -51,6 +51,7 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
+MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in
index 2de29d500c..76d0cdd01a 100644
--- a/pdns/ixfrdist.service.in
+++ b/pdns/ixfrdist.service.in
@@ -35,6 +35,7 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
+MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index 811705e5d0..27e5701d91 100644
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -41,6 +41,7 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
+MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
index 023b05e2dd..3bae24e3ae 100644
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -624,6 +624,9 @@ endif
 if !HAVE_SYSTEMD_PROTECT_PROC
 	$(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif
+if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
+	$(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
+endif
 
 pdns-recursor@.service: pdns-recursor.service
 	$(AM_V_GEN)sed -e 's!/pdns_recursor!& --config-name=%i!' \
diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
index 625f827bb8..3062e83f65 100644
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -42,6 +42,7 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
+MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
-- 
2.47.2