net-dns/knot: enhance systemd service security

Suggested-by: hexumg <hexumg@gmail.com>
Bug: https://bugs.gentoo.org/606644

2 files changed, 21 insertions, 2 deletions

diff --git a/net-dns/knot/files/knot-1.service b/net-dns/knot/files/knot-1.service
new file mode 100644
index 000000000000..14a34a2b211f
--- /dev/null
+++ b/net-dns/knot/files/knot-1.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Knot high-performance DNS Server
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/knotd
+ExecReload=/usr/sbin/knotc reload
+ExecStop=/usr/sbin/knotc stop
+PrivateTmp=true
+User=knot
+Group=knot
+RuntimeDirectory=knot
+RuntimeDirectoryMode=750
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-dns/knot/knot-2.5.3-r1.ebuild b/net-dns/knot/knot-2.5.3-r1.ebuild
index d9263f9e8498..5d116b1a44c4 100644
--- a/net-dns/knot/knot-2.5.3-r1.ebuild
+++ b/net-dns/knot/knot-2.5.3-r1.ebuild
@@ -26,7 +26,7 @@ RDEPEND="
 	)
 	idn? ( || ( net-dns/libidn >=net-dns/libidn2-2.0.0 ) )
 	dev-libs/libedit
-	systemd? ( sys-apps/systemd )
+	systemd? ( >=sys-apps/systemd-229 )
 "
 DEPEND="${RDEPEND}
 	virtual/pkgconfig
@@ -66,7 +66,9 @@ src_install() {
 	keepdir /var/lib/${PN}
 
 	newinitd "${FILESDIR}/knot.init" knot
-	systemd_dounit "${FILESDIR}/knot.service"
+	if use systemd; then
+		systemd_newunit "${FILESDIR}/knot-1.service" knot
+	fi
 
 	find "${D}" -name '*.la' -delete || die
 }