done
AX_AVAILABLE_SYSTEMD
+AX_CHECK_SYSTEMD_FEATURES
AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
LDFLAGS="$RELRO_LDFLAGS $LDFLAGS"
AX_CHECK_SYSTEMD_DETECT_AND_ENABLE()
AX_CHECK_SYSTEMD()
])
+
+AC_DEFUN([AX_CHECK_SYSTEMD_FEATURES], [
+ if test x"$systemd" = "xy"; then
+ _systemd_version=`systemctl --version|head -1 |cut -d" " -f 2`
+ if test $_systemd_version -ge 183; then
+ systemd_private_tmp=y
+ fi
+ if test $_systemd_version -ge 209; then
+ systemd_system_call_architectures=y
+ systemd_private_devices=y
+ fi
+ if test $_systemd_version -ge 211; then
+ systemd_restrict_address_families=y
+ fi
+ if test $_systemd_version -ge 214; then
+ systemd_protect_system=y
+ systemd_protect_home=y
+ fi
+ if test $_systemd_version -ge 231; then
+ systemd_restrict_realtime=y
+ systemd_memory_deny_write_execute=y
+ fi
+ if test $_systemd_version -ge 232; then
+ systemd_protect_control_groups=y
+ systemd_protect_kernel_modules=y
+ systemd_protect_kernel_tunables=y
+ systemd_remove_ipc=y
+ systemd_dynamic_user=y
+ systemd_private_users=y
+ systemd_protect_system_strict=y
+ fi
+ if test $_systemd_version -ge 233; then
+ systemd_restrict_namespaces=y
+ fi
+ if test $_systemd_version -ge 235; then
+ systemd_lock_personality=y
+ # while SystemCallFilter is technically available starting with 187,
+ # we use the pre-defined call filter sets that have been introduced later.
+ # Initial support for these landed in 231
+ # @filesystem @reboot @swap in 233
+ # @aio, @sync, @chown, @setuid, @memlock, @signal and @timer in 235
+ systemd_system_call_filter=y
+ fi
+ fi
+ AM_CONDITIONAL([HAVE_SYSTEMD_DYNAMIC_USER], [ test x"$systemd_dynamic_user" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_LOCK_PERSONALITY], [ test x"$systemd_lock_personality" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_MEMORY_DENY_WRITE_EXECUTE], [ test x"$systemd_memory_deny_write_execute" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_DEVICES], [ test x"$systemd_private_devices" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_TMP], [ test x"$systemd_private_tmp" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PRIVATE_USERS], [ test x"$systemd_private_users" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS], [ test x"$systemd_protect_control_groups" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_HOME], [ test x"$systemd_protect_home" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_MODULES], [ test x"$systemd_protect_kernel_modules" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES], [ test x"$systemd_protect_kernel_tunables" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM], [ test x"$systemd_protect_system" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_PROTECT_SYSTEM_STRICT], [ test x"$systemd_protect_system_strict" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_REMOVE_IPC], [ test x"$systemd_remove_ipc" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES], [ test x"$systemd_restrict_address_families" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_RESTRICT_NAMESPACES], [ test x"$systemd_restrict_namespaces" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_RESTRICT_REALTIME], [ test x"$systemd_restrict_realtime" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES], [ test x"$systemd_system_call_architectures" = "xy" ])
+ AM_CONDITIONAL([HAVE_SYSTEMD_SYSTEM_CALL_FILTER], [ test x"$systemd_system_call_filter" = "xy" ])
+])
if HAVE_SYSTEMD
pdns.service: pdns.service.in
$(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@
+if !HAVE_SYSTEMD_LOCK_PERSONALITY
+ $(AM_V_GEN)sed -i '' -e '/^LockPersonality/d' $@
+endif
+if !HAVE_SYSTEMD_PRIVATE_DEVICES
+ $(AM_V_GEN)sed -i '' -e '/^PrivateDevices/d' $@
+endif
+if !HAVE_SYSTEMD_PRIVATE_TMP
+ $(AM_V_GEN)sed -i '' -e '/^PrivateTmp/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS
+ $(AM_V_GEN)sed -i '' -e '/^ProtectControlGroups/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_HOME
+ $(AM_V_GEN)sed -i '' -e '/^ProtectHome/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES
+ $(AM_V_GEN)sed -i '' -e '/^ProtectKernelModules/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES
+ $(AM_V_GEN)sed -i '' -e '/^ProtectKernelTunables/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_SYSTEM
+ $(AM_V_GEN)sed -i '' -e '/^ProtectSystem/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES
+ $(AM_V_GEN)sed -i '' -e '/^RestrictAddressFamilies/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_NAMESPACES
+ $(AM_V_GEN)sed -i '' -e '/^RestrictNamespaces/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_REALTIME
+ $(AM_V_GEN)sed -i '' -e '/^RestrictRealtime/d' $@
+endif
+if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES
+ $(AM_V_GEN)sed -i '' -e '/^SystemCallArchitectures/d' $@
+endif
+if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
+ $(AM_V_GEN)sed -i '' -e '/^SystemCallFilter/d' $@
+endif
pdns@.service: pdns.service
$(AM_V_GEN)sed -e 's!/pdns_server!& --config-name=%i!' \
if HAVE_SYSTEMD
dnsdist.service: dnsdist.service.in
$(AM_V_GEN)sed -e 's![@]bindir[@]!$(bindir)!' < $< > $@
+if !HAVE_SYSTEMD_LOCK_PERSONALITY
+ $(AM_V_GEN)sed -i '' -e '/^LockPersonality/d' $@
+endif
+if !HAVE_SYSTEMD_PRIVATE_DEVICES
+ $(AM_V_GEN)sed -i '' -e '/^PrivateDevices/d' $@
+endif
+if !HAVE_SYSTEMD_PRIVATE_TMP
+ $(AM_V_GEN)sed -i '' -e '/^PrivateTmp/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS
+ $(AM_V_GEN)sed -i '' -e '/^ProtectControlGroups/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_HOME
+ $(AM_V_GEN)sed -i '' -e '/^ProtectHome/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES
+ $(AM_V_GEN)sed -i '' -e '/^ProtectKernelModules/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES
+ $(AM_V_GEN)sed -i '' -e '/^ProtectKernelTunables/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_SYSTEM
+ $(AM_V_GEN)sed -i '' -e '/^ProtectSystem/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES
+ $(AM_V_GEN)sed -i '' -e '/^RestrictAddressFamilies/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_NAMESPACES
+ $(AM_V_GEN)sed -i '' -e '/^RestrictNamespaces/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_REALTIME
+ $(AM_V_GEN)sed -i '' -e '/^RestrictRealtime/d' $@
+endif
+if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES
+ $(AM_V_GEN)sed -i '' -e '/^SystemCallArchitectures/d' $@
+endif
+if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
+ $(AM_V_GEN)sed -i '' -e '/^SystemCallFilter/d' $@
+endif
dnsdist@.service: dnsdist.service
$(AM_V_GEN)sed -e 's!/dnsdist !&--config $(sysconfdir)/dnsdist-%i.conf !' < $< >$@
PDNS_WITH_LIBCAP
AX_AVAILABLE_SYSTEMD
+AX_CHECK_SYSTEMD_FEATURES
AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
AC_SUBST([YAHTTP_CFLAGS], ['-I$(top_srcdir)/ext/yahttp'])
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
[Install]
WantedBy=multi-user.target
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
[Install]
WantedBy=multi-user.target
if HAVE_SYSTEMD
pdns-recursor.service: pdns-recursor.service.in
$(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@
+if !HAVE_SYSTEMD_LOCK_PERSONALITY
+ $(AM_V_GEN)sed -i '' -e '/^LockPersonality/d' $@
+endif
+if !HAVE_SYSTEMD_PRIVATE_DEVICES
+ $(AM_V_GEN)sed -i '' -e '/^PrivateDevices/d' $@
+endif
+if !HAVE_SYSTEMD_PRIVATE_TMP
+ $(AM_V_GEN)sed -i '' -e '/^PrivateTmp/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_CONTROL_GROUPS
+ $(AM_V_GEN)sed -i '' -e '/^ProtectControlGroups/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_HOME
+ $(AM_V_GEN)sed -i '' -e '/^ProtectHome/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_MODULES
+ $(AM_V_GEN)sed -i '' -e '/^ProtectKernelModules/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_KERNEL_TUNABLES
+ $(AM_V_GEN)sed -i '' -e '/^ProtectKernelTunables/d' $@
+endif
+if !HAVE_SYSTEMD_PROTECT_SYSTEM
+ $(AM_V_GEN)sed -i '' -e '/^ProtectSystem/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_ADDRESS_FAMILIES
+ $(AM_V_GEN)sed -i '' -e '/^RestrictAddressFamilies/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_NAMESPACES
+ $(AM_V_GEN)sed -i '' -e '/^RestrictNamespaces/d' $@
+endif
+if !HAVE_SYSTEMD_RESTRICT_REALTIME
+ $(AM_V_GEN)sed -i '' -e '/^RestrictRealtime/d' $@
+endif
+if !HAVE_SYSTEMD_SYSTEM_CALL_ARCHITECTURES
+ $(AM_V_GEN)sed -i '' -e '/^SystemCallArchitectures/d' $@
+endif
+if !HAVE_SYSTEMD_SYSTEM_CALL_FILTER
+ $(AM_V_GEN)sed -i '' -e '/^SystemCallFilter/d' $@
+endif
pdns-recursor@.service: pdns-recursor.service
$(AM_V_GEN)sed -e 's!/pdns_recursor!& --config-name=%i!' \
PDNS_ENABLE_MALLOC_TRACE
PDNS_ENABLE_VALGRIND
AX_AVAILABLE_SYSTEMD
+AX_CHECK_SYSTEMD_FEATURES
AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
PDNS_CHECK_VIRTUALENV
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
[Install]
WantedBy=multi-user.target