Give recursor its own read-only mount namespace

author Ruben Kerkhof <ruben@rubenkerkhof.com>

Wed, 4 Feb 2015 10:07:44 +0000 (11:07 +0100)

committer Ruben Kerkhof <ruben@rubenkerkhof.com>

Tue, 10 Feb 2015 08:44:47 +0000 (09:44 +0100)
author Ruben Kerkhof <ruben@rubenkerkhof.com>
Wed, 4 Feb 2015 10:07:44 +0000 (11:07 +0100)
committer Ruben Kerkhof <ruben@rubenkerkhof.com>
Tue, 10 Feb 2015 08:44:47 +0000 (09:44 +0100)
diff --git a/contrib/systemd-pdns-recursor.service b/contrib/systemd-pdns-recursor.service

index b257f664229aaf737574b71066bbf477a45dcec9..e1d9420beff780b0a158bb09e7798920cb64a9f1 100644 (file)
--- a/contrib/systemd-pdns-recursor.service
+++ b/contrib/systemd-pdns-recursor.service
@@ -11,6 +11,7 @@ PrivateTmp=true
  PrivateDevices=true
  CapabilityBoundingSet=CAP_NET_BIND_SERVICE
  NoNewPrivileges=true
+ProtectSystem=full
  
  [Install]
  WantedBy=multi-user.target
author	Ruben Kerkhof <ruben@rubenkerkhof.com>
	Wed, 4 Feb 2015 10:07:44 +0000 (11:07 +0100)
committer	Ruben Kerkhof <ruben@rubenkerkhof.com>
	Tue, 10 Feb 2015 08:44:47 +0000 (09:44 +0100)