From d394a65b0436b33653594e60bcfbe10de595c586 Mon Sep 17 00:00:00 2001 From: Ludovic Gasc Date: Wed, 7 Feb 2018 22:35:57 +0000 Subject: [PATCH 1/3] Increase security of bind9 cgroups container unit file: #863841 --- debian/bind9.service | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/debian/bind9.service b/debian/bind9.service index 9fc634cc8..d9bb4fe06 100644 --- a/debian/bind9.service +++ b/debian/bind9.service @@ -6,10 +6,45 @@ Wants=nss-lookup.target Before=nss-lookup.target [Service] +Type=simple EnvironmentFile=/etc/default/bind9 ExecStart=/usr/sbin/named -f $OPTIONS ExecReload=/usr/sbin/rndc reload ExecStop=/usr/sbin/rndc stop +TimeoutSec=25 +Restart=always +RestartSec=1 +User=bind +Group=bind +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex +clock_adjtime delete_module fanotify_init finit_module get_mempolicy +init_module io_destroy io_getevents iopl ioperm io_setup io_submit +io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages +open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace +remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK +LimitCORE=infinity +LimitNOFILE=infinity +NoNewPrivileges=true +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +RestrictRealtime=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectSystem=strict +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +ReadOnlyPaths=/sys +InaccessiblePaths=/home +InaccessiblePaths=/opt +InaccessiblePaths=/root +ReadWritePaths=/run/named +ReadWritePaths=/var/cache/bind +ReadWritePaths=/var/lib/bind [Install] WantedBy=multi-user.target -- GitLab From d109cb9e3a4868c109e7b6b0cd4b2214f62b8cf5 Mon Sep 17 00:00:00 2001 From: Ludovic Gasc Date: Wed, 7 Feb 2018 22:41:50 +0000 Subject: [PATCH 2/3] Remove user in default file because already set by systemd service file: #863841 --- debian/bind9.postinst | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/debian/bind9.postinst b/debian/bind9.postinst index d1fa83f70..9e3e5183f 100644 --- a/debian/bind9.postinst +++ b/debian/bind9.postinst @@ -72,11 +72,7 @@ if [ "$1" = configure ]; then echo '' >> $config echo '# startup options for the server' >> $config - if [ ! -z "$USER" ] && [ ! -z "$CONFFILE" ]; then - echo "OPTIONS=\"-u $USER -c $CONFFILE\"" >> $config - elif [ ! -z "$USER" ]; then - echo "OPTIONS=\"-u $USER\"" >> $config - elif [ ! -z "$CONFFILE" ]; then + if [ ! -z "$CONFFILE" ]; then echo "OPTIONS=\"-c $CONFFILE\"" >> $config else echo "OPTIONS=\"\"" >> $config -- GitLab From 845bed410a6f948e4e0af93ab06d02190ca7032b Mon Sep 17 00:00:00 2001 From: Ludovic Gasc Date: Wed, 7 Feb 2018 22:43:08 +0000 Subject: [PATCH 3/3] Remove softwrap --- debian/bind9.service | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/debian/bind9.service b/debian/bind9.service index d9bb4fe06..cba06e568 100644 --- a/debian/bind9.service +++ b/debian/bind9.service @@ -18,12 +18,7 @@ User=bind Group=bind CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE -SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex -clock_adjtime delete_module fanotify_init finit_module get_mempolicy -init_module io_destroy io_getevents iopl ioperm io_setup io_submit -io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages -open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace -remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice +SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK LimitCORE=infinity LimitNOFILE=infinity -- GitLab