corazawaf · DavidProdinger · Nov 14, 2024 · Nov 18, 2024 · Nov 19, 2024 · Nov 20, 2024
diff --git a/contrib/coraza-spoa.service b/contrib/coraza-spoa.service
@@ -1,12 +1,17 @@
 [Unit]
 Description=Coraza WAF SPOA Daemon
 Documentation=https://www.coraza.io
+After=network.target
 
 [Service]
 ExecStart=/usr/bin/coraza-spoa -config=/etc/coraza-spoa/config.yaml
-WorkingDirectory=/
+ExecReload=/bin/kill -HUP $MAINPID
+WorkingDirectory=/etc/coraza-spoa/
 Restart=always
-Type=exec
+Type=notify
+# notify-reload is pretty new and isn't available on debian 12
+#Type=notify-reload
+NotifyAccess=all
 User=coraza-spoa
 Group=coraza-spoa
 
@@ -45,7 +50,7 @@ InaccessiblePaths=-/opt
 InaccessiblePaths=-/srv
 #InaccessiblePaths=-/bin
 InaccessiblePaths=-/bin/bash
-inaccessiblepaths=-/bin/find
+InaccessiblePaths=-/bin/find
 InaccessiblePaths=-/bin/less
 InaccessiblePaths=-/bin/zcat
 InaccessiblePaths=-/bin/rm
@@ -105,7 +110,7 @@ InaccessiblePaths=-/usr/bin/htop
 InaccessiblePaths=-/usr/bin/ipcmk
 InaccessiblePaths=-/usr/bin/journalctl
 InaccessiblePaths=-/usr/bin/keyctl
-InaccessiblePaths=-/usr/bin/kill
+# InaccessiblePaths=-/usr/bin/kill
 InaccessiblePaths=-/usr/bin/killall
 InaccessiblePaths=-/usr/bin/ksh
 InaccessiblePaths=-/usr/bin/last
@@ -293,7 +298,7 @@ PrivateTmp=true
 
 RemoveIPC=true
 
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 #RestrictNamespaces=uts ipc pid user cgroup
 
 SystemCallArchitectures=native

diff --git a/internal/daemon.go b/internal/daemon.go
@@ -0,0 +1,44 @@
+package internal
+
+import (
+	"net"
+	"os"
+	"strconv"
+	"time"
+)
+
+func SdNotify(message string) error {
+	socketAddr := &net.UnixAddr{
+		Name: os.Getenv("NOTIFY_SOCKET"),
+		Net:  "unixgram",
+	}
+
+	if socketAddr.Name == "" {
+		return nil
+	}
+
+	conn, err := net.DialUnix(socketAddr.Net, nil, socketAddr)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	if _, err = conn.Write([]byte(message)); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func SdNotifyReady() error {
+	return SdNotify("READY=1")
+}
+
+func SdNotifyReloading() error {
+	microseconds := time.Now().UnixMicro()
+	return SdNotify("RELOADING=1\nMONOTONIC_USEC=" + strconv.FormatInt(microseconds, 10))
+}
+
+func SdNotifyStopping() error {
+	return SdNotify("STOPPING=1")
+}
diff --git a/main.go b/main.go
@@ -79,6 +79,12 @@ func main() {
 		defer cancelFunc()
 
 		globalLogger.Info().Msg("Starting coraza-spoa")
+
+		err := internal.SdNotifyReady()
+		if err != nil {
+			globalLogger.Error().Err(err).Msg("Failed notifying daemon")
+		}
+
 		if err := a.Serve(l); err != nil {
 			globalLogger.Fatal().Err(err).Msg("listener closed")
 		}
@@ -126,11 +132,28 @@ outer:
 				continue
 			}
 
+			err = internal.SdNotifyReloading()
+			if err != nil {
+				globalLogger.Error().Err(err).Msg("Failed notifying daemon")
+			}
+
 			a.ReplaceApplications(apps)
 			cfg = newCfg
+
+			err = internal.SdNotifyReady()
+			if err != nil {
+				globalLogger.Error().Err(err).Msg("Failed notifying daemon")
+			}
 		}
 	}
 
+	globalLogger.Info().Msg("Stopping coraza-spoa")
+
+	err = internal.SdNotifyStopping()
+	if err != nil {
+		globalLogger.Error().Err(err).Msg("Failed notifying daemon")
+	}
+
 	if memProfile != "" {
 		f, err := os.Create(memProfile)
 		if err != nil {