From: Ruben Kerkhof <ruben@rubenkerkhof.com>
Date: Wed, 4 Feb 2015 10:07:44 +0000 (+0100)
Subject: Give recursor its own read-only mount namespace
X-Git-Tag: dnsdist-1.0.0-alpha1~306^2~4^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=efcf71cc578ba88ca73b5b2aea0838e0299f9784;p=pdns

Give recursor its own read-only mount namespace

/usr and /etc are mounted read-only
---

diff --git a/contrib/systemd-pdns-recursor.service b/contrib/systemd-pdns-recursor.service
index b257f6642..e1d9420be 100644
--- a/contrib/systemd-pdns-recursor.service
+++ b/contrib/systemd-pdns-recursor.service
@@ -11,6 +11,7 @@ PrivateTmp=true
 PrivateDevices=true
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
+ProtectSystem=full
 
 [Install]
 WantedBy=multi-user.target