From 55016e4cb2be19b212831d4ec682a4ffe79bb8f7 Mon Sep 17 00:00:00 2001 From: Orazio <22700499+orazioedoardo@users.noreply.github.com> Date: Wed, 1 Feb 2023 19:03:12 +0100 Subject: [PATCH 1/4] Change pihole-FTL PID file location from /run/pihole-FTL.pid to /run/pihole/FTL.pid Signed-off-by: Orazio <22700499+orazioedoardo@users.noreply.github.com> --- advanced/Scripts/piholeDebug.sh | 2 +- advanced/Scripts/utils.sh | 8 ++++---- automated install/basic-install.sh | 4 ++++ pihole | 2 +- test/test_any_utils.py | 2 +- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/advanced/Scripts/piholeDebug.sh b/advanced/Scripts/piholeDebug.sh index c0264d1a..9b8ba6ec 100755 --- a/advanced/Scripts/piholeDebug.sh +++ b/advanced/Scripts/piholeDebug.sh @@ -120,7 +120,7 @@ PIHOLE_FTL_DB_FILE="$(get_ftl_conf_value "DBFILE" "${PIHOLE_DIRECTORY}/pihole-FT PIHOLE_COMMAND="${BIN_DIRECTORY}/pihole" PIHOLE_COLTABLE_FILE="${BIN_DIRECTORY}/COL_TABLE" -FTL_PID="${RUN_DIRECTORY}/pihole-FTL.pid" +FTL_PID="${RUN_DIRECTORY}/pihole/FTL.pid" PIHOLE_LOG="${LOG_DIRECTORY}/pihole.log" PIHOLE_LOG_GZIPS="${LOG_DIRECTORY}/pihole.log.[0-9].*" diff --git a/advanced/Scripts/utils.sh b/advanced/Scripts/utils.sh index 37516472..d6d50c3f 100755 --- a/advanced/Scripts/utils.sh +++ b/advanced/Scripts/utils.sh @@ -104,7 +104,7 @@ getFTLAPIPort(){ ####################### getFTLPIDFile() { local FTLCONFFILE="/etc/pihole/pihole-FTL.conf" - local DEFAULT_PID_FILE="/run/pihole-FTL.pid" + local DEFAULT_PID_FILE="/run/pihole/FTL.pid" local FTL_PID_FILE if [ -s "${FTLCONFFILE}" ]; then @@ -119,10 +119,10 @@ getFTLPIDFile() { } ####################### -# returns FTL's PID based on the content of the pihole-FTL.pid file +# returns FTL's PID based on the content of the FTL.pid file # -# Takes one argument: path to pihole-FTL.pid -# Example getFTLPID "/run/pihole-FTL.pid" +# Takes one argument: path to FTL.pid +# Example getFTLPID "/run/pihole/FTL.pid" ####################### getFTLPID() { local FTL_PID_FILE="${1}" diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index 6bb8e363..b1d032ff 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -83,6 +83,7 @@ PI_HOLE_INSTALL_DIR="/opt/pihole" PI_HOLE_CONFIG_DIR="/etc/pihole" PI_HOLE_BIN_DIR="/usr/local/bin" FTL_CONFIG_FILE="${PI_HOLE_CONFIG_DIR}/pihole-FTL.conf" +FTL_PID_FILE="/run/pihole/FTL.pid" if [ -z "$useUpdateVars" ]; then useUpdateVars=false fi @@ -1851,6 +1852,9 @@ finalExports() { # Set the privacy level addOrEditKeyValPair "${FTL_CONFIG_FILE}" "PRIVACYLEVEL" "${PRIVACY_LEVEL}" + # Set the PID file path + addOrEditKeyValPair "${FTL_CONFIG_FILE}" "PIDFILE" "${FTL_PID_FILE}" + # Bring in the current settings and the functions to manipulate them source "${setupVars}" # shellcheck source=advanced/Scripts/webpage.sh diff --git a/pihole b/pihole index a99a37e7..ab4a5468 100755 --- a/pihole +++ b/pihole @@ -119,7 +119,7 @@ restartDNS() { local svcOption svc str output status pid icon FTL_PID_FILE svcOption="${1:-restart}" - # get the current path to the pihole-FTL.pid + # get the current path to the FTL.pid FTL_PID_FILE="$(getFTLPIDFile)" # Determine if we should reload or restart diff --git a/test/test_any_utils.py b/test/test_any_utils.py index 5b4075d9..cb6d7c8e 100644 --- a/test/test_any_utils.py +++ b/test/test_any_utils.py @@ -116,7 +116,7 @@ def test_getFTLPIDFile_default(host): getFTLPIDFile """ ) - expected_stdout = "/run/pihole-FTL.pid\n" + expected_stdout = "/run/pihole/FTL.pid\n" assert expected_stdout == output.stdout From dc83102e7112ce219e02311d4afff60cb9a1cf1e Mon Sep 17 00:00:00 2001 From: Orazio <22700499+orazioedoardo@users.noreply.github.com> Date: Wed, 1 Feb 2023 19:04:59 +0100 Subject: [PATCH 2/4] Enable systemd sandboxing settings for pihole-FTL.service Signed-off-by: Orazio <22700499+orazioedoardo@users.noreply.github.com> --- advanced/Templates/pihole-FTL.systemd | 34 ++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/advanced/Templates/pihole-FTL.systemd b/advanced/Templates/pihole-FTL.systemd index 2a114199..6f321eff 100644 --- a/advanced/Templates/pihole-FTL.systemd +++ b/advanced/Templates/pihole-FTL.systemd @@ -19,6 +19,7 @@ StartLimitIntervalSec=60s User=pihole PermissionsStartOnly=true AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh ExecStart=/usr/bin/pihole-FTL -f @@ -30,12 +31,33 @@ ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh # Use graceful shutdown with a reasonable timeout TimeoutStopSec=10s -# Make /usr, /boot, /etc and possibly some more folders read-only... -ProtectSystem=full -# ... except /etc/pihole -# This merely retains r/w access rights, it does not add any new. -# Must still be writable on the host! -ReadWriteDirectories=/etc/pihole +BindReadOnlyPaths=/opt/pihole +ConfigurationDirectory=pihole +LockPersonality=true +LogsDirectory=pihole +NoNewPrivileges=true +PrivateDevices=true +PrivateIPC=true +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +RuntimeDirectory=pihole +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +TemporaryFileSystem=/media /mnt /opt /run /srv /var [Install] WantedBy=multi-user.target From bf1104df614d08889e4932cac75ba14d1c9f364b Mon Sep 17 00:00:00 2001 From: Orazio <22700499+orazioedoardo@users.noreply.github.com> Date: Wed, 1 Feb 2023 19:33:23 +0100 Subject: [PATCH 3/4] Comment important settings in the pihole-FTL.service file Signed-off-by: Orazio <22700499+orazioedoardo@users.noreply.github.com> --- advanced/Templates/pihole-FTL.systemd | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/advanced/Templates/pihole-FTL.systemd b/advanced/Templates/pihole-FTL.systemd index 6f321eff..5a2dcc8b 100644 --- a/advanced/Templates/pihole-FTL.systemd +++ b/advanced/Templates/pihole-FTL.systemd @@ -19,6 +19,7 @@ StartLimitIntervalSec=60s User=pihole PermissionsStartOnly=true AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN +# Prevents the pihole-FTL process from acquiring more capabilities then the following CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh @@ -31,13 +32,18 @@ ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh # Use graceful shutdown with a reasonable timeout TimeoutStopSec=10s +# Let the pihole-FTL process see a read-only view of /opt/pihole when TemporaryFileSystem= is +# hiding the content of /opt BindReadOnlyPaths=/opt/pihole +# Gives access to /etc/pihole ConfigurationDirectory=pihole LockPersonality=true +# Gives access to /var/log/pihole LogsDirectory=pihole NoNewPrivileges=true PrivateDevices=true PrivateIPC=true +# Gives pihole-FTL a private (0700), not shared, per-execution, tmp folder PrivateTmp=true ProtectClock=true ProtectControlGroups=true @@ -46,17 +52,23 @@ ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +# Hides processes owned by other users from pihole-FTL view ProtectProc=invisible +# Mount the entire file system as read-only. Write access to required folders is provided via +# {Configuration,Logs,Runtime}Directory= settings ProtectSystem=strict RemoveIPC=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true +# Gives access to /run/pihole, cleared when service is stopped RuntimeDirectory=pihole SystemCallArchitectures=native SystemCallFilter=@system-service +# Blacklist using the '~' character the @privileged syscall set SystemCallFilter=~@privileged +# Hides the content of the following folders, which may contain user data, from pihole-FTL view TemporaryFileSystem=/media /mnt /opt /run /srv /var [Install] From c091083fbec3e1c34fe0d7e03c25b37e52aab98f Mon Sep 17 00:00:00 2001 From: Orazio <22700499+orazioedoardo@users.noreply.github.com> Date: Fri, 3 Feb 2023 16:17:12 +0100 Subject: [PATCH 4/4] Do not hardcode FTL PID file path Signed-off-by: Orazio <22700499+orazioedoardo@users.noreply.github.com> --- automated install/basic-install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/automated install/basic-install.sh b/automated install/basic-install.sh index b1d032ff..6bb8e363 100755 --- a/automated install/basic-install.sh +++ b/automated install/basic-install.sh @@ -83,7 +83,6 @@ PI_HOLE_INSTALL_DIR="/opt/pihole" PI_HOLE_CONFIG_DIR="/etc/pihole" PI_HOLE_BIN_DIR="/usr/local/bin" FTL_CONFIG_FILE="${PI_HOLE_CONFIG_DIR}/pihole-FTL.conf" -FTL_PID_FILE="/run/pihole/FTL.pid" if [ -z "$useUpdateVars" ]; then useUpdateVars=false fi @@ -1852,9 +1851,6 @@ finalExports() { # Set the privacy level addOrEditKeyValPair "${FTL_CONFIG_FILE}" "PRIVACYLEVEL" "${PRIVACY_LEVEL}" - # Set the PID file path - addOrEditKeyValPair "${FTL_CONFIG_FILE}" "PIDFILE" "${FTL_PID_FILE}" - # Bring in the current settings and the functions to manipulate them source "${setupVars}" # shellcheck source=advanced/Scripts/webpage.sh