Pieter Lexis [Fri, 3 Dec 2021 09:37:46 +0000 (10:37 +0100)]
service files: Add ProtectProc
Another sandboxing option,
[ProtectProc](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=)
hides all /proc/<pid> that are not owned by the service user and hides
some kernel things from /proc as well.
Short Description:
Raise RLIMIT_MEMLOCK automatically when eBPF is requested.
This PR adds changes to eBPF filter constructor which when invoked automatically raises the RLIMIT_MEMLOCK from 64k to 1024k.
The hard limit for the user needs to be set in `/etc/security/limits.conf`.
Remi Gacogne [Tue, 6 Dec 2022 16:43:12 +0000 (17:43 +0100)]
dnsdist: Fix a warning about long to double conversion
```
dnsdist-backend.cc:601:61: warning: implicit conversion from 'long' to 'double' changes value from 9223372036854775807 to 9223372036854775808 [-Wimplicit-const-int-float-conversion]
if (backOffCoeffTmp != HUGE_VAL && backOffCoeffTmp <= std::numeric_limits<time_t>::max()) {
~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Remi Gacogne [Fri, 2 Dec 2022 14:57:17 +0000 (15:57 +0100)]
dnsdist: Get rid of TCPCrossProtocolQuerySender
We need this construct to deal with cross-protocol queries, like
queries received over TCP or DoT, but forwarded over DoH, because
the thread dealing with the client and the one dealing with the
backend will not be the same in that case, and we do not want to
have different threads touching the same TCP connections.
So we pass the query and response to the correct thread via pipes.
Until now we were allocating an additional object, TCPCrossProtocolQuerySender,
to deal with that case, but I noticed that the existing IncomingTCPConnectionState
object already does everything we need, except that it needs to
know that the response is a cross-protocol one in order to pass it
via the pipe instead of treating it in a different way. This can be
done by looking if the current thread ID differs from the one that
created this object: if it does, we are dealing with a cross-protocol
response and should pass it via the pipe, and if it does not we
can deal with it directly.
This change saves the need to allocate a new object wrapped in a
shared pointer for each cross-protocol query, which is quite nice.
Remi Gacogne [Tue, 6 Dec 2022 15:23:04 +0000 (16:23 +0100)]
dnsdist: Add a new chain of rules triggered after cache insertion
The general idea is to be able to store the unedited version into
the cache while delivering a different version to the actual client.
This is useful when one is sending different answers to different
clients, like when dealing with abuse traffic, but still want to be
able to cache the initial response from the backend.
We already have a chain of rules that are triggered after a cache-hit,
but until now we lacked the ability to trigger after getting the
response corresponding to a cache-miss.
Remi Gacogne [Fri, 18 Nov 2022 15:56:16 +0000 (16:56 +0100)]
dnsdist: Reduce useless wake-ups from the event loop
The TCP acceptor, UDP client and Lua network threads never needs to break out of the event loop.
The outgoing DoH one only needs to do that once per second to check for timeouts.
Remi Gacogne [Thu, 1 Dec 2022 13:34:19 +0000 (14:34 +0100)]
Restrict permissions for GITHUB_TOKEN in our workflows
Added using https://github.com/step-security/secure-workflows
For more information see:
- https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#token-permissions
- https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
Kevin P. Fleming [Tue, 29 Nov 2022 11:14:10 +0000 (06:14 -0500)]
systemd: Add "After" dependency on time-sync.target
Adds 'After=time-sync.target' to the service unit files; this will not
have any immediate effect, unless the system administrator has also
enabled a unit which has a 'Before' dependency on that target;
there are none of those units enabled in a default configuration in
common distributions. systemd itself adds such an 'After' dependency
to all timer units with OnCalendar settings, and to some other units.
However, in a system which makes use of systemd-timesyncd, the admin
can enable systemd-time-wait-sync.service, which has such a
dependency. The result would be that none of the PowerDNS services on
the system would be started until after systemd-timesyncd is certain
that the system's clock is synchronized with the configured external
source.
A similar configuration can be achieved on systems which use ntpd,
chronyd, or other time synchronization tools.
Remi Gacogne [Fri, 25 Nov 2022 17:34:17 +0000 (18:34 +0100)]
dnsdist: Ignore unclean TLS session shutdown
OpenSSL 3.0 "helpfully" treats an unclean TLS session shutdown as an
error, flooding our logs and killing TLS session resumption. We do
not care about a possible "truncation attack" since we already know
how many bytes we are supposed to get, so we can ignore this.