While the haproxy workers usually are running chrooted the master process is not. This patch is a pretty safe defense in depth measure to ensure haproxy cannot touch sensitive parts of the file system.
ProtectSystem takes non-boolean arguments in newer SystemD versions, but setting those would leave older systems such as Ubuntu Xenial unprotected. Distro maintainers and system administrators could adapt the ProtectSystem value to the SystemD version they ship. --- contrib/systemd/haproxy.service.in | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in index 5d8eecf06..846bcc77f 100644 --- a/contrib/systemd/haproxy.service.in +++ b/contrib/systemd/haproxy.service.in @@ -18,5 +18,15 @@ Type=notify # reduced performance. See systemd.service(5) and systemd.exec(5) for further # information. +# NoNewPrivileges=true +# ProtectHome=true +# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE, +# any state files and any other files written using 'ReadWritePaths' or +# 'RuntimeDirectory'. +# ProtectSystem=true +# ProtectKernelTunables=true +# ProtectKernelModules=true +# ProtectControlGroups=true + [Install] WantedBy=multi-user.target -- 2.16.2