From 8570d5ff5bda4ecfab8440bb8a5ab14455c2c56b Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Fri, 2 Aug 2024 12:45:02 +0200
Subject: [PATCH] Fix the systemd unit security section.

---
 .vscode/settings.json       |  3 +++
 defaults/main.yml           |  2 ++
 templates/tomcat-service.j2 | 11 ++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100644 .vscode/settings.json

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..2de2499
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+        "ansible.python.interpreterPath": "/opt/local/bin/python3.10"
+}
\ No newline at end of file
diff --git a/defaults/main.yml b/defaults/main.yml
index 88f0163..38e8c64 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -79,6 +79,8 @@ tomcat_m_enable_instances: True
 tomcat_m_jndi_pool: False
 tomcat_m_direct_access: False
 
+tomcat_systemd_additional_rw_paths: []
+
 # JMX and debugging
 tomcat_m_enable_remote_debugging: False
 tomcat_m_remote_debugging_host: '0.0.0.0'
diff --git a/templates/tomcat-service.j2 b/templates/tomcat-service.j2
index 08eb9ee..4b72479 100644
--- a/templates/tomcat-service.j2
+++ b/templates/tomcat-service.j2
@@ -7,7 +7,7 @@ Description=Apache Tomcat {{ tomcat_version}} Web Application Server
 After=syslog.target network.target
 StartLimitIntervalSec=500
 StartLimitBurst=5
-RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} /var/lib/tomcat{{ tomcat_version }}
+RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} {{ item.instance_path }}
 
 [Service]
 Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}"
@@ -18,7 +18,7 @@ ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh
 ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-instance-{{ item.http_port }}-start.sh
 SuccessExitStatus=143
 RestartSec=10
-Restart=on-failure on-abort
+Restart=on-failure
 # Logging
 SyslogIdentifier=tomcat{{ tomcat_version }}
 
@@ -33,8 +33,12 @@ CacheDirectoryMode=750
 ProtectSystem=strict
 ReadWritePaths={{ item.instance_path }}/conf/Catalina/
 ReadWritePaths={{ item.instance_path }}/webapps
+ReadWritePaths={{ item.instance_path }}/lib
 ReadWritePaths={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}
-{% endif %}
+{% for path in tomcat_systemd_additional_rw_paths %}
+ReadWritePaths={{ path }}
+{% endfor %}
+
 {% if tomcat_systemd_security_enhanced %}
 ProtectSystem=strict
 ProtectHome=yes
@@ -46,6 +50,7 @@ RestrictAddressFamilies=AF_INET6 AF_INET
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 {% endif %}
+{% endif %}
 
 [Install]
 WantedBy=multi-user.target