Accepting request 924959 from home:stroeder:network

- reworked nsd.service: * directly start as User=_nsd * even more hardening * removed commented and unused directives FWIW: This was successfully tested on Tumbleweed x86_64. OBS-URL: https://build.opensuse.org/request/show/924959 OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=90
2021-10-12 20:46:21 +00:00 · 2021-10-12 20:46:21 +00:00 · 1c78b76f36
commit 1c78b76f36
parent 3625623c92
2 changed files with 32 additions and 8 deletions
--- a/nsd.changes
+++ b/nsd.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Oct 12 20:19:52 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- reworked nsd.service:
+  * directly start as User=_nsd
+  * even more hardening
+  * removed commented and unused directives
+
 -------------------------------------------------------------------
 Tue Oct 12 20:01:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

--- a/nsd.service
+++ b/nsd.service
@ -3,6 +3,13 @@ Description=NSD DNS Server
 After=syslog.target network.target

 [Service]
+Type=simple
+PIDFile=/run/nsd/nsd.pid
+ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf
+ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state
+User=_nsd
+Group=_nsd
+
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
@ -15,14 +22,23 @@ ProtectKernelModules=true
 ProtectKernelLogs=true
 ProtectControlGroups=true
 RestrictRealtime=true
-# end of automatic additions 
-Type=simple
-PIDFile=/run/nsd/nsd.pid
-#EnvironmentFile=-/etc/sysconfig/nsd
-#ExecStart=/usr/sbin/nsd -D -c /etc/nsd/nsd.conf $OTHER_NSD_OPTS
-ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf
-ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state
+# end of automatic additions
+
+# even more hardening options
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+PrivateTmp=yes
+NoNewPrivileges=yes
+MountFlags=private
+LockPersonality=yes
+KeyringMode=private
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey @setuid

 [Install]
 WantedBy=multi-user.target
-