From a970b4b2e308c307e5969136d77689f6941b7f1ed9cfb1c3fdaf7cbdefb991e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Tue, 12 Oct 2021 19:53:30 +0000
Subject: [PATCH 1/4] Accepting request 924899 from
 home:jsegitz:branches:systemdhardening:server:dns

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/924899
OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=88
---
 nsd.changes |  6 ++++++
 nsd.service | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/nsd.changes b/nsd.changes
index 75ca63c..68506f5 100644
--- a/nsd.changes
+++ b/nsd.changes
@@ -28,6 +28,12 @@ BUG FIXES:
 - Fix #194: Incorrect NSEC3 response for SOA query below delegation
   point.
 
+-------------------------------------------------------------------
+Mon Oct 11 09:29:34 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * nsd.service
+
 -------------------------------------------------------------------
 Thu Jul 22 18:21:09 UTC 2021 - Michael Ströder <michael@stroeder.com>
 
diff --git a/nsd.service b/nsd.service
index 21fa34d..487aeba 100644
--- a/nsd.service
+++ b/nsd.service
@@ -3,6 +3,19 @@ Description=NSD DNS Server
 After=syslog.target network.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 PIDFile=/run/nsd/nsd.pid
 #EnvironmentFile=-/etc/sysconfig/nsd

From 3625623c9236d22224daac65614bf81625848054ba72162ab533ece51b3f6e54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Tue, 12 Oct 2021 20:03:47 +0000
Subject: [PATCH 2/4] Accepting request 924957 from home:stroeder:network

Added hardening to systemd service(s) (bsc#1181400)

(Re-ordered nsd.changes)

OBS-URL: https://build.opensuse.org/request/show/924957
OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=89
---
 nsd.changes | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/nsd.changes b/nsd.changes
index 68506f5..e61b359 100644
--- a/nsd.changes
+++ b/nsd.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 12 20:01:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * nsd.service
+
 -------------------------------------------------------------------
 Tue Oct 12 18:24:24 UTC 2021 - Michael Ströder <michael@stroeder.com>
 
@@ -28,12 +34,6 @@ BUG FIXES:
 - Fix #194: Incorrect NSEC3 response for SOA query below delegation
   point.
 
--------------------------------------------------------------------
-Mon Oct 11 09:29:34 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-
-- Added hardening to systemd service(s) (bsc#1181400). Modified:
-  * nsd.service
-
 -------------------------------------------------------------------
 Thu Jul 22 18:21:09 UTC 2021 - Michael Ströder <michael@stroeder.com>
 

From 1c78b76f3629d4ac232aab56c2b5265e1b751e62f17d22a9c3b3a4b4084b2e21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Tue, 12 Oct 2021 20:46:21 +0000
Subject: [PATCH 3/4] Accepting request 924959 from home:stroeder:network

- reworked nsd.service:
  * directly start as User=_nsd
  * even more hardening
  * removed commented and unused directives

FWIW: This was successfully tested on Tumbleweed x86_64.

OBS-URL: https://build.opensuse.org/request/show/924959
OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=90
---
 nsd.changes |  8 ++++++++
 nsd.service | 32 ++++++++++++++++++++++++--------
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/nsd.changes b/nsd.changes
index e61b359..47d7c45 100644
--- a/nsd.changes
+++ b/nsd.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Oct 12 20:19:52 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- reworked nsd.service:
+  * directly start as User=_nsd
+  * even more hardening
+  * removed commented and unused directives
+
 -------------------------------------------------------------------
 Tue Oct 12 20:01:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 
diff --git a/nsd.service b/nsd.service
index 487aeba..9c92048 100644
--- a/nsd.service
+++ b/nsd.service
@@ -3,6 +3,13 @@ Description=NSD DNS Server
 After=syslog.target network.target
 
 [Service]
+Type=simple
+PIDFile=/run/nsd/nsd.pid
+ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf
+ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state
+User=_nsd
+Group=_nsd
+
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
@@ -15,14 +22,23 @@ ProtectKernelModules=true
 ProtectKernelLogs=true
 ProtectControlGroups=true
 RestrictRealtime=true
-# end of automatic additions 
-Type=simple
-PIDFile=/run/nsd/nsd.pid
-#EnvironmentFile=-/etc/sysconfig/nsd
-#ExecStart=/usr/sbin/nsd -D -c /etc/nsd/nsd.conf $OTHER_NSD_OPTS
-ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf
-ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state
+# end of automatic additions
+
+# even more hardening options
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+PrivateTmp=yes
+NoNewPrivileges=yes
+MountFlags=private
+LockPersonality=yes
+KeyringMode=private
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey @setuid
 
 [Install]
 WantedBy=multi-user.target
-

From c0230520f103aa137f2bc55960b8d0902868530b3da9c3f98b8361f6e07e3539 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Wed, 13 Oct 2021 12:52:27 +0000
Subject: [PATCH 4/4] Accepting request 925092 from home:stroeder:network

- set RestrictAddressFamilies= in nsd.service

OBS-URL: https://build.opensuse.org/request/show/925092
OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=91
---
 nsd.changes | 5 +++++
 nsd.service | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/nsd.changes b/nsd.changes
index 47d7c45..adc90a5 100644
--- a/nsd.changes
+++ b/nsd.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Oct 13 12:45:45 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- set RestrictAddressFamilies= in nsd.service
+
 -------------------------------------------------------------------
 Tue Oct 12 20:19:52 UTC 2021 - Michael Ströder <michael@stroeder.com>
 
diff --git a/nsd.service b/nsd.service
index 9c92048..b5a8a50 100644
--- a/nsd.service
+++ b/nsd.service
@@ -27,7 +27,7 @@ RestrictRealtime=true
 # even more hardening options
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
 PrivateTmp=yes
 NoNewPrivileges=yes
 MountFlags=private