MINOR: systemd: Add SystemD's Protect*= options to the unit file While the haproxy workers usually are running chrooted the master process is not. This patch is a pretty safe defense in depth measure to ensure haproxy cannot touch sensitive parts of the file system. ProtectSystem takes non-boolean arguments in newer SystemD versions, but setting those would leave older systems such as Ubuntu Xenial unprotected. Distro maintainers and system administrators could adapt the ProtectSystem value to the SystemD version they ship.

commit: 8a9659212e4d491e4195de72aee4149db6359e09 [log] [tgz]
author: Tim Duesterhus <tim@bastelstu.be> Tue Feb 27 20:19:04 2018 +0100
committer: Willy Tarreau <w@1wt.eu> Thu Mar 01 15:57:15 2018 +0100
tree: 3417b51782cdcbe22d92ead9415374f6f06bd3b6
parent: 1ce8de2d93066d29e57ca2bb9cc0e0ff321f2043 [diff]
diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 5d8eecf..846bcc7 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in

@@ -18,5 +18,15 @@
 # reduced performance. See systemd.service(5) and systemd.exec(5) for further
 # information.
 
+# NoNewPrivileges=true
+# ProtectHome=true
+# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
+# any state files and any other files written using 'ReadWritePaths' or
+# 'RuntimeDirectory'.
+# ProtectSystem=true
+# ProtectKernelTunables=true
+# ProtectKernelModules=true
+# ProtectControlGroups=true
+
 [Install]
 WantedBy=multi-user.target
commit	8a9659212e4d491e4195de72aee4149db6359e09	[log] [tgz]
author	Tim Duesterhus <tim@bastelstu.be>	Tue Feb 27 20:19:04 2018 +0100
committer	Willy Tarreau <w@1wt.eu>	Thu Mar 01 15:57:15 2018 +0100
tree	3417b51782cdcbe22d92ead9415374f6f06bd3b6
parent	1ce8de2d93066d29e57ca2bb9cc0e0ff321f2043 [diff]