From 4fc3d14ac3e31d388b6cf7980525793944a96dc2 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sat, 1 Feb 2020 13:03:12 -0500
Subject: [PATCH] bind: Add CapabilityBoundingSet and ReadWritePaths to service
 file

Change ProtectSystem to strict.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../data/lib/systemd/system/bind9.service.d/freedombox.conf   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf b/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf
index 09e2117cd..0b7d787ed 100644
--- a/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf
+++ b/plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf
@@ -1,4 +1,5 @@
 [Service]
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
 LockPersonality=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
@@ -9,7 +10,8 @@ ProtectHome=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectSystem=full
+ProtectSystem=strict
+ReadWritePaths=/var/lib/bind /var/cache/bind /var/run/named
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictRealtime=yes
 SystemCallArchitectures=native