From 3b78486a3e7137b9c959f95af99fa83185ecfe8e Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Tue, 29 Nov 2022 16:10:57 +0100 Subject: [PATCH] systemd service: Only enable MemoryDenyWriteExecute for ixfrdist Because it does not play well with LuaJIT, which all other products use. --- pdns/Makefile.am | 3 --- pdns/dnsdistdist/Makefile.am | 3 --- pdns/dnsdistdist/dnsdist.service.in | 3 ++- pdns/ixfrdist.service.in | 2 +- pdns/pdns.service.in | 3 ++- pdns/recursordist/Makefile.am | 3 --- pdns/recursordist/pdns-recursor.service.in | 3 ++- 7 files changed, 7 insertions(+), 13 deletions(-) diff --git a/pdns/Makefile.am b/pdns/Makefile.am index b12c11802a82..4fea89c11c0c 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -1793,9 +1793,6 @@ endif if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER $(AM_V_GEN)perl -ni -e 'print unless /^SystemCallFilter/' $@ endif -if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE - $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ -endif if !HAVE_SYSTEMD_PROTECT_PROC $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ endif diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index 43d5cc165913..c3ed1f158072 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -542,9 +542,6 @@ endif if !HAVE_SYSTEMD_PROTECT_PROC $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ endif -if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE - $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ -endif if !HAVE_SYSTEMD_PRIVATE_IPC $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ endif diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index 73d78fd02869..eb75e7632a51 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -51,10 +51,11 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target diff --git a/pdns/ixfrdist.service.in b/pdns/ixfrdist.service.in index b69618abe386..a1b07220a3f1 100644 --- a/pdns/ixfrdist.service.in +++ b/pdns/ixfrdist.service.in @@ -35,10 +35,10 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in index d073ec3d5eb3..1d23347b4d28 100644 --- a/pdns/pdns.service.in +++ b/pdns/pdns.service.in @@ -41,10 +41,11 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index cde922ed8fcf..629976e0d15a 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -624,9 +624,6 @@ endif if !HAVE_SYSTEMD_PROTECT_PROC $(AM_V_GEN)perl -ni -e 'print unless /^ProtectProc/' $@ endif -if !HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE - $(AM_V_GEN)perl -ni -e 'print unless /^MemoryDenyWriteExecute/' $@ -endif if !HAVE_SYSTEMD_PRIVATE_IPC $(AM_V_GEN)perl -ni -e 'print unless /^PrivateIPC/' $@ endif diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in index dc88bbfda706..ddb923672017 100644 --- a/pdns/recursordist/pdns-recursor.service.in +++ b/pdns/recursordist/pdns-recursor.service.in @@ -42,10 +42,11 @@ RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete ProtectProc=invisible -MemoryDenyWriteExecute=true PrivateIPC=true RemoveIPC=true DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target