From 95ba871bd006cde752d0a51e538c011b3e03ee1e Mon Sep 17 00:00:00 2001 From: bgme Date: Fri, 9 May 2025 20:49:49 +0800 Subject: [PATCH 1/2] feat(systemd/smartdns.service.in): securing systemd service --- systemd/smartdns.service.in | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/systemd/smartdns.service.in b/systemd/smartdns.service.in index 56b1d68056..7b6273787e 100644 --- a/systemd/smartdns.service.in +++ b/systemd/smartdns.service.in @@ -9,13 +9,45 @@ StartLimitIntervalSec=60 [Service] Type=forking -PIDFile=@RUNSTATEDIR@/smartdns.pid +DynamicUser=true +RuntimeDirectory=smartdns +LogsDirectory=smartdns +CacheDirectory=smartdns +PIDFile=/run/smartdns/smartdns.pid EnvironmentFile=@SYSCONFDIR@/default/smartdns -ExecStart=@SBINDIR@/smartdns -p @RUNSTATEDIR@/smartdns.pid $SMART_DNS_OPTS +LoadCredential=smartdns.conf:@SYSCONFDIR@/smartdns/smartdns.conf +ExecStart=@SBINDIR@/smartdns -p $PIDFILE -c "${CREDENTIALS_DIRECTORY}/smartdns.conf" $SMART_DNS_OPTS Restart=always RestartSec=2 TimeoutStopSec=15 +# Capabilities +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN + +# Hardening options +DevicePolicy=closed +LockPersonality=true +MemoryAccounting=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true + [Install] WantedBy=multi-user.target Alias=smartdns.service From 7bb299d42fbbdc17b7c8b2d4d0c7d10697a49ac2 Mon Sep 17 00:00:00 2001 From: bgme Date: Sun, 11 May 2025 11:45:07 +0800 Subject: [PATCH 2/2] systemd: add CAP_NET_RAW --- systemd/smartdns.service.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/smartdns.service.in b/systemd/smartdns.service.in index 7b6273787e..137923a9cc 100644 --- a/systemd/smartdns.service.in +++ b/systemd/smartdns.service.in @@ -22,8 +22,8 @@ RestartSec=2 TimeoutStopSec=15 # Capabilities -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN -AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW # Hardening options DevicePolicy=closed