systemd: base "RestrictAddressFamilies" on build options

This allows to not allow `AF_NETLINK` if `smbclient` is not enabled.
2023-09-15 22:27:19 +03:00 · 2023-09-15 22:27:19 +03:00 · bdfe5e97cd
parent df069bc456
commit bdfe5e97cd
3 changed files with 9 additions and 4 deletions
--- a/systemd/meson.build
+++ b/systemd/meson.build
@ -1,6 +1,13 @@
 systemd_unit_conf = configuration_data()
 systemd_unit_conf.set('prefix', get_option('prefix'))

+address_families = ['AF_INET', 'AF_INET6', 'AF_UNIX']
+if get_option('smbclient').enabled()
+  # AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+  address_families += 'AF_NETLINK'
+endif
+systemd_unit_conf.set('address_families', ' '.join(address_families))
+
 systemd_socket_conf = configuration_data()
 listen_streams = []
 if get_option('local_socket')
--- a/systemd/system/mpd.service.in
+++ b/systemd/system/mpd.service.in
@ -27,8 +27,7 @@ NoNewPrivileges=yes
 ProtectKernelTunables=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
-# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictAddressFamilies=@address_families@
 RestrictNamespaces=yes

 [Install]
--- a/systemd/user/mpd.service.in
+++ b/systemd/user/mpd.service.in
@ -28,8 +28,7 @@ ProtectSystem=yes
 NoNewPrivileges=yes
 ProtectKernelTunables=yes
 ProtectControlGroups=yes
-# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictAddressFamilies=@address_families@
 RestrictNamespaces=yes

 # Note that "ProtectKernelModules=yes" is missing in the user unit