arno
/
pi-hole
mirror of https://github.com/pi-hole/pi-hole
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge c091083fbe into 091a6891eb

Browse Source
Orazio 4 weeks ago committed by GitHub
parent 091a6891eb c091083fbe
commit 373142c3cc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 47 additions and 13 deletions
Show Stats Download Patch File Download Diff File

2
advanced/Scripts/piholeDebug.sh
Unescape View File

@ -124,7 +124,7 @@ PIHOLE_FTL_DB_FILE="$(get_ftl_conf_value "DBFILE" "${PIHOLE_DIRECTORY}/pihole-FT
PIHOLE_COMMAND="${BIN_DIRECTORY}/pihole" PIHOLE_COMMAND="${BIN_DIRECTORY}/pihole"
PIHOLE_COLTABLE_FILE="${BIN_DIRECTORY}/COL_TABLE" PIHOLE_COLTABLE_FILE="${BIN_DIRECTORY}/COL_TABLE"
FTL_PID="${RUN_DIRECTORY}/pihole-FTL.pid" FTL_PID="${RUN_DIRECTORY}/pihole/FTL.pid"
PIHOLE_LOG="${LOG_DIRECTORY}/pihole.log" PIHOLE_LOG="${LOG_DIRECTORY}/pihole.log"
PIHOLE_LOG_GZIPS="${LOG_DIRECTORY}/pihole.log.[0-9].*" PIHOLE_LOG_GZIPS="${LOG_DIRECTORY}/pihole.log.[0-9].*"

8
advanced/Scripts/utils.sh
Unescape View File

@ -108,7 +108,7 @@ getFTLAPIPort(){
####################### #######################
getFTLPIDFile() { getFTLPIDFile() {
local FTLCONFFILE="/etc/pihole/pihole-FTL.conf" local FTLCONFFILE="/etc/pihole/pihole-FTL.conf"
local DEFAULT_PID_FILE="/run/pihole-FTL.pid" local DEFAULT_PID_FILE="/run/pihole/FTL.pid"
local FTL_PID_FILE local FTL_PID_FILE
if [ -s "${FTLCONFFILE}" ]; then if [ -s "${FTLCONFFILE}" ]; then
@ -123,10 +123,10 @@ getFTLPIDFile() {
} }
####################### #######################
# returns FTL's PID based on the content of the pihole-FTL.pid file # returns FTL's PID based on the content of the FTL.pid file
# #
# Takes one argument: path to pihole-FTL.pid # Takes one argument: path to FTL.pid
# Example getFTLPID "/run/pihole-FTL.pid" # Example getFTLPID "/run/pihole/FTL.pid"
####################### #######################
getFTLPID() { getFTLPID() {
local FTL_PID_FILE="${1}" local FTL_PID_FILE="${1}"

46
advanced/Templates/pihole-FTL.systemd
Unescape View File

@ -19,6 +19,8 @@ StartLimitIntervalSec=60s
User=pihole User=pihole
PermissionsStartOnly=true PermissionsStartOnly=true
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN
# Prevents the pihole-FTL process from acquiring more capabilities then the following
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN
ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh
ExecStart=/usr/bin/pihole-FTL -f ExecStart=/usr/bin/pihole-FTL -f
@ -30,12 +32,44 @@ ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh
# Use graceful shutdown with a reasonable timeout # Use graceful shutdown with a reasonable timeout
TimeoutStopSec=10s TimeoutStopSec=10s
# Make /usr, /boot, /etc and possibly some more folders read-only... # Let the pihole-FTL process see a read-only view of /opt/pihole when TemporaryFileSystem= is
ProtectSystem=full # hiding the content of /opt
# ... except /etc/pihole BindReadOnlyPaths=/opt/pihole
# This merely retains r/w access rights, it does not add any new. # Gives access to /etc/pihole
# Must still be writable on the host! ConfigurationDirectory=pihole
ReadWriteDirectories=/etc/pihole LockPersonality=true
# Gives access to /var/log/pihole
LogsDirectory=pihole
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
# Gives pihole-FTL a private (0700), not shared, per-execution, tmp folder
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
# Hides processes owned by other users from pihole-FTL view
ProtectProc=invisible
# Mount the entire file system as read-only. Write access to required folders is provided via
# {Configuration,Logs,Runtime}Directory= settings
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
# Gives access to /run/pihole, cleared when service is stopped
RuntimeDirectory=pihole
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Blacklist using the '~' character the @privileged syscall set
SystemCallFilter=~@privileged
# Hides the content of the following folders, which may contain user data, from pihole-FTL view
TemporaryFileSystem=/media /mnt /opt /run /srv /var
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

2
pihole
Unescape View File

@ -124,7 +124,7 @@ restartDNS() {
local svcOption svc str output status pid icon FTL_PID_FILE local svcOption svc str output status pid icon FTL_PID_FILE
svcOption="${1:-restart}" svcOption="${1:-restart}"
# get the current path to the pihole-FTL.pid # get the current path to the FTL.pid
FTL_PID_FILE="$(getFTLPIDFile)" FTL_PID_FILE="$(getFTLPIDFile)"
# Determine if we should reload or restart # Determine if we should reload or restart

2
test/test_any_utils.py
Unescape View File

@ -136,7 +136,7 @@ def test_getFTLPIDFile_default(host):
getFTLPIDFile getFTLPIDFile
""" """
) )
expected_stdout = "/run/pihole-FTL.pid\n" expected_stdout = "/run/pihole/FTL.pid\n"
assert expected_stdout == output.stdout assert expected_stdout == output.stdout

Write Preview
Loading…
Cancel
Save