Here: https://salsa.debian.org/dns-team/bind9.git (and future https://salsa.debian.org/dns-team/bind.git), you'll probably need an guest account that could be created here: https://signup.salsa.debian.org/
Ondrej -- Ondřej Surý <[email protected]> On Thu, Feb 1, 2018, at 09:44, Ludovic Gasc wrote: > Hi, > > On Mon, 29 Jan 2018 11:18:47 -0500 Simon Deziel <[email protected]> wrote: > > SystemCallArchitectures=native > > # note: AF_NETLINK is needed for getifaddrs(3) > > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK > > I'm also working to increase the security of bind via systemd without MAC > enabled, I have integrated your suggestions. > FYI, I have discussed about this on bind mailing-list to validate the unit > file, the complete discussion: > https://lists.isc.org/pipermail/bind-users/2018-January/099437.html > > Below, the actual unit file, I'm using on our production. > If you have extra suggestions, I'm interested in. > > How I could send a merge request ? > I have found the file in Git: > https://anonscm.debian.org/git/pkg-dns/bind9.git/tree/debian/bind9.service > I send a patch on the Debian-DNS mailing-list ? > > Regards > > [Unit] > After=network-online.target > > [Service] > Type=simple > TimeoutSec=25 > Restart=always > RestartSec=1 > User=bind > Group=bind > CapabilityBoundingSet=CAP_NET_BIND_SERVICE > AmbientCapabilities=CAP_NET_BIND_SERVICE > SystemCallFilter=~@mount @debug acct modify_ldt add_key adjtimex > clock_adjtime delete_module fanotify_init finit_module get_mempolicy > init_module io_destroy io_getevents iopl ioperm io_setup io_submit > io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages > open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace > remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK > LimitCORE=infinity > LimitNOFILE=65535 > NoNewPrivileges=true > SystemCallArchitectures=native > MemoryDenyWriteExecute=true > RestrictRealtime=true > PrivateDevices=true > PrivateTmp=true > ProtectHome=true > ProtectSystem=strict > ProtectKernelModules=true > ProtectKernelTunables=true > ProtectControlGroups=true > ReadOnlyPaths=/sys > InaccessiblePaths=/home > InaccessiblePaths=/opt > InaccessiblePaths=/root > ReadWritePaths=/run/named > ReadWritePaths=/var/cache/bind > ReadWritePaths=/var/lib/bind > _______________________________________________ > pkg-dns-devel mailing list > [email protected] > https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel
