From: Tom Hughes <tom@compton.nu>
Date: Wed, 9 Nov 2022 22:52:16 +0000 (+0000)
Subject: Use default sandboxing for the gdnsd-reload service
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/9014179b3f52fbef2647e6774afc88bafe6dfdf5

Use default sandboxing for the gdnsd-reload service
---

diff --git a/cookbooks/geodns/recipes/default.rb b/cookbooks/geodns/recipes/default.rb
index 3a166262c..8afa85cc5 100644
--- a/cookbooks/geodns/recipes/default.rb
+++ b/cookbooks/geodns/recipes/default.rb
@@ -74,11 +74,8 @@ systemd_service "gdnsd-reload" do
   user "root"
   exec_start "/bin/systemctl reload-or-restart gdnsd"
   standard_output "null"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
-  no_new_privileges true
+  sandbox true
+  restrict_address_families "AF_UNIX"
 end
 
 systemd_path "gdnsd-reload" do