Merge branch '10.1' into 10.2

2 files changed, 37 insertions, 9 deletions

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 55202c696fb..15f41c6377f 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -45,16 +45,31 @@ Group=mysql
 # To allow memlock to be used as non-root user if set in configuration
 CapabilityBoundingSet=CAP_IPC_LOCK
 
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+# Doesn't yet work properly with SELinux enabled
+# NoNewPrivileges=true
+
+PrivateDevices=true
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
 
+@SYSTEMD_EXECSTARTPRE@
+
 # Perform automatic wsrep recovery. When server is started without wsrep,
 # galera_recovery simply returns an empty string. In any case, however,
 # the script is not expected to return with a non-zero status.
 # It is always safe to unset _WSREP_START_POSITION environment variable.
+# Do not panic if galera_recovery script is not available. (MDEV-10538)
 ExecStartPre=/bin/sh -c "systemctl unset-environment _WSREP_START_POSITION"
-ExecStartPre=/bin/sh -c "VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] && \
- systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1"
+ExecStartPre=/bin/sh -c "[ ! -e /usr/bin/galera_recovery ] && VAR= || \
+ VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] \
+ && systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1"
 
 # Needed to create system tables etc.
 # ExecStartPre=/usr/bin/mysql_install_db -u mysql
@@ -64,7 +79,6 @@ ExecStartPre=/bin/sh -c "VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] && \
 # Use the [service] section and Environment="MYSQLD_OPTS=...".
 # This isn't a replacement for my.cnf.
 # _WSREP_NEW_CLUSTER is for the exclusive use of the script galera_new_cluster
-@SYSTEMD_EXECSTARTPRE@
 ExecStart=/usr/sbin/mysqld $MYSQLD_OPTS $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION
 @SYSTEMD_EXECSTARTPOST@
 
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index 18adf0e0eac..e941f21526e 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -52,6 +52,17 @@ Group=mysql
 # To allow memlock to be used as non-root user if set in configuration
 CapabilityBoundingSet=CAP_IPC_LOCK
 
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+# Doesn't yet work properly with SELinux enabled
+# NoNewPrivileges=true
+
+PrivateDevices=true
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
 
@@ -59,16 +70,19 @@ PermissionsStartOnly=true
 # galera_recovery simply returns an empty string. In any case, however,
 # the script is not expected to return with a non-zero status.
 # It is always safe to unset _WSREP_START_POSITION%I environment variable.
+# Do not panic if galera_recovery script is not available. (MDEV-10538)
 ExecStartPre=/bin/sh -c "systemctl unset-environment _WSREP_START_POSITION%I"
-ExecStartPre=/bin/sh -c "VAR=`/usr/bin/galera_recovery             \
-  --defaults-file=@INSTALL_SYSCONF2DIR@/my%I.cnf`; [ $? -eq 0 ] && \
-  systemctl set-environment _WSREP_START_POSITION%I=$VAR || exit 1"
+
+ExecStartPre=/bin/sh -c "[ ! -e /usr/bin/galera_recovery ] && VAR= || \
+ VAR=`/usr/bin/galera_recovery --defaults-file=@INSTALL_SYSCONF2DIR@/my%I.cnf`; [ $? -eq 0 ] \
+ && systemctl set-environment _WSREP_START_POSITION%I=$VAR || exit 1"
+
 # Alternate: (remove ConditionPathExists above)
 # use [mysqld.INSTANCENAME] as sections in my.cnf
 #
-#ExecStartPre=/bin/sh -c "VAR=`/usr/bin/galera_recovery \
-# --defaults-group-suffix=%I`; [ $? -eq 0 ] &&          \
-# systemctl set-environment _WSREP_START_POSITION%I=$VAR || exit 1"
+#ExecStartPre=/bin/sh -c "[ ! -e /usr/bin/galera_recovery ] && VAR= || \
+# VAR=`/usr/bin/galera_recovery --defaults-group-suffix=%I`; [ $? -eq 0 ] \
+# && systemctl set-environment _WSREP_START_POSITION%I=$VAR || exit 1"
 
 # Needed to create system tables etc.
 # ExecStartPre=/usr/bin/mysql_install_db -u mysql