diff --git a/advanced/Scripts/piholeDebug.sh b/advanced/Scripts/piholeDebug.sh index fb1efbeb..fdb759cc 100755 --- a/advanced/Scripts/piholeDebug.sh +++ b/advanced/Scripts/piholeDebug.sh @@ -124,7 +124,7 @@ PIHOLE_FTL_DB_FILE="$(get_ftl_conf_value "DBFILE" "${PIHOLE_DIRECTORY}/pihole-FT PIHOLE_COMMAND="${BIN_DIRECTORY}/pihole" PIHOLE_COLTABLE_FILE="${BIN_DIRECTORY}/COL_TABLE" -FTL_PID="${RUN_DIRECTORY}/pihole-FTL.pid" +FTL_PID="${RUN_DIRECTORY}/pihole/FTL.pid" PIHOLE_LOG="${LOG_DIRECTORY}/pihole.log" PIHOLE_LOG_GZIPS="${LOG_DIRECTORY}/pihole.log.[0-9].*" diff --git a/advanced/Scripts/utils.sh b/advanced/Scripts/utils.sh index f655e56c..e6947821 100755 --- a/advanced/Scripts/utils.sh +++ b/advanced/Scripts/utils.sh @@ -108,7 +108,7 @@ getFTLAPIPort(){ ####################### getFTLPIDFile() { local FTLCONFFILE="/etc/pihole/pihole-FTL.conf" - local DEFAULT_PID_FILE="/run/pihole-FTL.pid" + local DEFAULT_PID_FILE="/run/pihole/FTL.pid" local FTL_PID_FILE if [ -s "${FTLCONFFILE}" ]; then @@ -123,10 +123,10 @@ getFTLPIDFile() { } ####################### -# returns FTL's PID based on the content of the pihole-FTL.pid file +# returns FTL's PID based on the content of the FTL.pid file # -# Takes one argument: path to pihole-FTL.pid -# Example getFTLPID "/run/pihole-FTL.pid" +# Takes one argument: path to FTL.pid +# Example getFTLPID "/run/pihole/FTL.pid" ####################### getFTLPID() { local FTL_PID_FILE="${1}" diff --git a/advanced/Templates/pihole-FTL.systemd b/advanced/Templates/pihole-FTL.systemd index 2a114199..5a2dcc8b 100644 --- a/advanced/Templates/pihole-FTL.systemd +++ b/advanced/Templates/pihole-FTL.systemd @@ -19,6 +19,8 @@ StartLimitIntervalSec=60s User=pihole PermissionsStartOnly=true AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN +# Prevents the pihole-FTL process from acquiring more capabilities then the following +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh ExecStart=/usr/bin/pihole-FTL -f @@ -30,12 +32,44 @@ ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh # Use graceful shutdown with a reasonable timeout TimeoutStopSec=10s -# Make /usr, /boot, /etc and possibly some more folders read-only... -ProtectSystem=full -# ... except /etc/pihole -# This merely retains r/w access rights, it does not add any new. -# Must still be writable on the host! -ReadWriteDirectories=/etc/pihole +# Let the pihole-FTL process see a read-only view of /opt/pihole when TemporaryFileSystem= is +# hiding the content of /opt +BindReadOnlyPaths=/opt/pihole +# Gives access to /etc/pihole +ConfigurationDirectory=pihole +LockPersonality=true +# Gives access to /var/log/pihole +LogsDirectory=pihole +NoNewPrivileges=true +PrivateDevices=true +PrivateIPC=true +# Gives pihole-FTL a private (0700), not shared, per-execution, tmp folder +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +# Hides processes owned by other users from pihole-FTL view +ProtectProc=invisible +# Mount the entire file system as read-only. Write access to required folders is provided via +# {Configuration,Logs,Runtime}Directory= settings +ProtectSystem=strict +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +# Gives access to /run/pihole, cleared when service is stopped +RuntimeDirectory=pihole +SystemCallArchitectures=native +SystemCallFilter=@system-service +# Blacklist using the '~' character the @privileged syscall set +SystemCallFilter=~@privileged +# Hides the content of the following folders, which may contain user data, from pihole-FTL view +TemporaryFileSystem=/media /mnt /opt /run /srv /var [Install] WantedBy=multi-user.target diff --git a/pihole b/pihole index 1d9ad82c..870630ed 100755 --- a/pihole +++ b/pihole @@ -124,7 +124,7 @@ restartDNS() { local svcOption svc str output status pid icon FTL_PID_FILE svcOption="${1:-restart}" - # get the current path to the pihole-FTL.pid + # get the current path to the FTL.pid FTL_PID_FILE="$(getFTLPIDFile)" # Determine if we should reload or restart diff --git a/test/test_any_utils.py b/test/test_any_utils.py index b3fabe6c..c84feb5e 100644 --- a/test/test_any_utils.py +++ b/test/test_any_utils.py @@ -136,7 +136,7 @@ def test_getFTLPIDFile_default(host): getFTLPIDFile """ ) - expected_stdout = "/run/pihole-FTL.pid\n" + expected_stdout = "/run/pihole/FTL.pid\n" assert expected_stdout == output.stdout