Accepting request 925093 from server:dns

OBS-URL: https://build.opensuse.org/request/show/925093 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nsd?expand=0&rev=24
2021-10-13 16:06:13 +00:00 · 2021-10-13 16:06:13 +00:00 · 396ef2e5c8
commit 396ef2e5c8
parent f61772b7c3 c0230520f1
2 changed files with 51 additions and 3 deletions
--- a/nsd.changes
+++ b/nsd.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Wed Oct 13 12:45:45 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- set RestrictAddressFamilies= in nsd.service
+
+-------------------------------------------------------------------
+Tue Oct 12 20:19:52 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- reworked nsd.service:
+  * directly start as User=_nsd
+  * even more hardening
+  * removed commented and unused directives
+
+-------------------------------------------------------------------
+Tue Oct 12 20:01:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * nsd.service
+
 -------------------------------------------------------------------
 Tue Oct 12 18:24:24 UTC 2021 - Michael Ströder <michael@stroeder.com>

--- a/nsd.service
+++ b/nsd.service
@ -5,11 +5,40 @@ After=syslog.target network.target
 [Service]
 Type=simple
 PIDFile=/run/nsd/nsd.pid
-#EnvironmentFile=-/etc/sysconfig/nsd
-#ExecStart=/usr/sbin/nsd -D -c /etc/nsd/nsd.conf $OTHER_NSD_OPTS
 ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf
 ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state
+User=_nsd
+Group=_nsd
+
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
+
+# even more hardening options
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+PrivateTmp=yes
+NoNewPrivileges=yes
+MountFlags=private
+LockPersonality=yes
+KeyringMode=private
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey @setuid

 [Install]
 WantedBy=multi-user.target
-