systemd service: Only enable MemoryDenyWriteExecute for ixfrdist

Because it does not play well with LuaJIT, which all other products use.
PowerDNS · Dec 7, 2022 · 3b78486 · 3b78486
1 parent a4e4a9d
commit 3b78486
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 13 deletions.
diff --git a/pdns/Makefile.am b/pdns/Makefile.am
@@ -1793,9 +1793,6 @@ endif
 if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
 	$(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@
 endif
-if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
-	$(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
-endif
 if !HAVE_SYSTEMD_PROTECT_PROC
 	$(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif

diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am
@@ -542,9 +542,6 @@ endif
 if !HAVE_SYSTEMD_PROTECT_PROC
 	$(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif
-if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
-	$(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
-endif
 if !HAVE_SYSTEMD_PRIVATE_IPC
 	$(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
 endif

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
@@ -51,10 +51,11 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
-MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
 DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in
@@ -35,10 +35,10 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
-MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
 DevicePolicy=closed
+MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
@@ -41,10 +41,11 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
-MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
 DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
@@ -624,9 +624,6 @@ endif
 if !HAVE_SYSTEMD_PROTECT_PROC
 	$(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@
 endif
-if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE
-	$(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@
-endif
 if !HAVE_SYSTEMD_PRIVATE_IPC
 	$(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@
 endif

diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
@@ -42,10 +42,11 @@ RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 ProtectProc=invisible
-MemoryDenyWriteExecute=true
 PrivateIPC=true
 RemoveIPC=true
 DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target