Skip to content

Improve service security and functionality #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ghost wants to merge 3 commits into from
Closed

Improve service security and functionality #1

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e4f44a3
Improve service security and functionality
Sep 16, 2024
c7872ff
Fix backups and create `diff` detects changes
Sep 19, 2024
60ed58f
Fix backup issue if `$HOSTS_FILE` doesn't exist
Sep 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 55 additions & 4 deletions systemd-hosts.d.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,64 @@ Description=Keep your hosts records in logically separated files
After=local-fs.target

[Service]
# Security
ProtectSystem=yes
ProtectHome=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectKernelLogs=yes
SystemCallFilter=@basic-io @file-system @chown @ipc @process
SystemCallErrorNumber=EPERM
NoNewPrivileges=yes
PrivateTmp=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectClock=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/hosts.d
RuntimeDirectoryPreserve=no

# Service
Type=oneshot

# Environment
Environment="HOSTS_FILE=/etc/hosts"
Environment="HOSTS_DIRECTORY=/etc/hosts.d"
ExecStart=/bin/sh -c 'echo -e "## Generated by systemd-hosts.d ##\\n" > $HOSTS_FILE'
ExecStart=/bin/sh -c 'echo -e "## All changes in this file will be ignored ##\\n" >> $HOSTS_FILE'
ExecStart=/bin/sh -c 'cat $HOSTS_DIRECTORY/*.conf | grep \'^[[:blank:]]*[^[:blank:]#;]\' >> $HOSTS_FILE'
ExecStart=/bin/chmod ugo=r $HOSTS_FILE
# Loosely match IPv4 or IPv6 followed by hostname and hostalias(s)
Environment="HOSTS_REGEX_BASE=^\\([0-9]\\{1,3\\}\\.\\|[0-9a-fA-F]\\{1,4\\}:\\|::\\).\\+\\?\\(\\s\\+[a-zA-Z0-9.-]\\{1,\\}\\)\\{1,\\}$"
Comment thread
one-d-wide marked this conversation as resolved.
Environment="HOSTS_REGEX_COMMENT=^#.*$"
# Override with HOSTS_ENABLE_COMMENT=yes to include comments from the source conf files
Environment="HOSTS_ENABLE_COMMENT=no"

# Condition - validate that matching regex is found in the source before overwriting $HOSTS_FILE
ExecCondition=/bin/sh -c 'grep -r "$HOSTS_REGEX_BASE" "$HOSTS_DIRECTORY" >/dev/null'

# Create a single backup if changes are detected
ExecStartPre=/bin/sh -c 'if [ -f "$HOSTS_FILE" ]; then diff -q "$HOSTS_FILE" "${HOSTS_FILE}~" || cp -av --dereference "$HOSTS_FILE" "${HOSTS_FILE}~"; fi'

# Parse conf files and overwrite $HOSTS_FILE #
# Maintain $HOSTS_FILE header
ExecStart=-/bin/sh -c 'echo -e "### Generated by systemd-hosts.d ###\\n" > "$HOSTS_FILE"'
ExecStart=-/bin/sh -c 'echo "### All changes in this file will be ignored ###" >> "$HOSTS_FILE"'

# Add preceeding newline and accompanying comment to indicate the source conf
ExecStart=-/bin/sh -c 'find "$HOSTS_DIRECTORY" -maxdepth 1 -type f -iname '*.conf' \
| sort -n \
| while read CONF_FILE; \
do (echo -e "\\n## $CONF_FILE ##"; \
HOSTS_REGEX="$HOSTS_REGEX_BASE"; \
if test "$HOSTS_ENABLE_COMMENT" = "yes"; then \
HOSTS_REGEX="${HOSTS_REGEX_COMMENT}\\|$HOSTS_REGEX"; \
fi; \
grep -h "$HOSTS_REGEX" \
"$CONF_FILE") >> "$HOSTS_FILE"; done'
Comment thread
one-d-wide marked this conversation as resolved.

# Enforce file permission
ExecStartPost=-/bin/chmod ugo=r "$HOSTS_FILE"

[Install]
RequiredBy=network-pre.target