While the haproxy workers usually are running chrooted the master process is not. This patch is a pretty safe defense in depth measure to ensure haproxy cannot touch sensitive parts of the file system.
ProtectSystem takes non-boolean arguments in newer SystemD versions, but setting those would leave older systems such as Ubuntu Xenial unprotected. Distro maintainers and system administrators could adapt the ProtectSystem value to the SystemD version they ship. --- contrib/systemd/haproxy.service.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in index 804be3583..e64246728 100644 --- a/contrib/systemd/haproxy.service.in +++ b/contrib/systemd/haproxy.service.in @@ -11,6 +11,8 @@ ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed Restart=always Type=notify +ProtectHome=true +ProtectSystem=true [Install] WantedBy=multi-user.target -- 2.16.2