From f12bb76fc468661d5624d838b48937736fd624ec Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Thu, 30 Jun 2016 10:17:30 -0400
Subject: [PATCH] net-dns/dnsmasq: systemd hardening

Improve the systemd unit by having dnsmasq never run as root, restricting capabilities as much as possible, and limiting file system access.

Gentoo-bug: 587586
---
 net-dns/dnsmasq/files/dnsmasq.service-r1 | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/net-dns/dnsmasq/files/dnsmasq.service-r1 b/net-dns/dnsmasq/files/dnsmasq.service-r1
index 8e313bc..b288afd 100644
--- a/net-dns/dnsmasq/files/dnsmasq.service-r1
+++ b/net-dns/dnsmasq/files/dnsmasq.service-r1
@@ -3,10 +3,21 @@ Description=A lightweight DHCP and caching DNS server
 After=network.target
 
 [Service]
+User=dnsmasq
+Group=dnsmasq
 Type=simple
+PIDFile=/run/dnsmasq/dnsmasq.pid 
 ExecStartPre=/usr/sbin/dnsmasq --test
-ExecStart=/usr/sbin/dnsmasq -k --user=dnsmasq --group=dnsmasq
+ExecStart=/usr/sbin/dnsmasq -k -x /run/dnsmasq/dnsmasq.pid 
 ExecReload=/bin/kill -HUP $MAINPID
+RuntimeDirectory=dnsmasq
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
 
 [Install]
 WantedBy=multi-user.target