1091e9e46SCy Schubert; For further details about the directives used in this unit file, including 2091e9e46SCy Schubert; the below, please refer to systemd's official documentation, available at 3091e9e46SCy Schubert; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. 4091e9e46SCy Schubert; 5091e9e46SCy Schubert; 6091e9e46SCy Schubert; - `ProtectSystem=strict` implies we mount the entire file system hierarchy 7091e9e46SCy Schubert; read-only for the processes invoked by the unit except for the API file 8091e9e46SCy Schubert; system subtrees /dev, /proc and /sys (which are protected by 9091e9e46SCy Schubert; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). 10091e9e46SCy Schubert; 11091e9e46SCy Schubert; - `PrivateTmp=yes` secures access to temporary files of the process, and 12091e9e46SCy Schubert; makes sharing between processes via /tmp or /var/tmp impossible. 13091e9e46SCy Schubert; 14091e9e46SCy Schubert; - `ProtectHome=yes` makes the directories /home, /root, and /run/user 15091e9e46SCy Schubert; inaccessible and empty for processes invoked by the unit. 16091e9e46SCy Schubert; 17091e9e46SCy Schubert; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies 18091e9e46SCy Schubert; (accessible through /sys/fs/cgroup) read-only to all processes invoked by 19091e9e46SCy Schubert; the unit. It also implies `MountAPIVFS=yes`. 20091e9e46SCy Schubert; 21091e9e46SCy Schubert; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the 22091e9e46SCy Schubert; unit User and Group with read-write permissions (0755) as soon as the 23091e9e46SCy Schubert; unit starts. This allows unbound to store its pidfile. The directory and 24091e9e46SCy Schubert; its content are automatically removed by systemd when the unit stops. 25091e9e46SCy Schubert; 26091e9e46SCy Schubert; - `NoNewPrivileges=yes` ensures that the service process and all its 27091e9e46SCy Schubert; children can never gain new privileges through execve(). 28091e9e46SCy Schubert; 29091e9e46SCy Schubert; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID 30091e9e46SCy Schubert; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. 31091e9e46SCy Schubert; 32091e9e46SCy Schubert; - `RestrictRealTime=yes` ensures that any attempts to enable realtime 33091e9e46SCy Schubert; scheduling in a process invoked by the unit will be denied. 34091e9e46SCy Schubert; 35091e9e46SCy Schubert; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing 36091e9e46SCy Schubert; is prohibited. 37091e9e46SCy Schubert; 38091e9e46SCy Schubert; - `LockPersonality=yes` locks down the personality system call so that the 39091e9e46SCy Schubert; kernel execution domain may not be changed from the default. 40091e9e46SCy Schubert; 41091e9e46SCy Schubert; 4265b390aaSDag-Erling Smørgrav[Unit] 4365b390aaSDag-Erling SmørgravDescription=Validating, recursive, and caching DNS resolver 4465b390aaSDag-Erling SmørgravDocumentation=man:unbound(8) 45*1838dec3SCy SchubertAfter=network.target 46*1838dec3SCy SchubertBefore=network-online.target nss-lookup.target 473005e0a3SDag-Erling Smørgrav 483005e0a3SDag-Erling Smørgrav[Install] 493005e0a3SDag-Erling SmørgravWantedBy=multi-user.target 5065b390aaSDag-Erling Smørgrav 5165b390aaSDag-Erling Smørgrav[Service] 520eefd307SCy SchubertExecReload=+/bin/kill -HUP $MAINPID 53091e9e46SCy SchubertExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 5465b390aaSDag-Erling SmørgravNotifyAccess=main 5565b390aaSDag-Erling SmørgravType=notify 56091e9e46SCy SchubertCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 5765b390aaSDag-Erling SmørgravMemoryDenyWriteExecute=true 5865b390aaSDag-Erling SmørgravNoNewPrivileges=true 5965b390aaSDag-Erling SmørgravPrivateDevices=true 6065b390aaSDag-Erling SmørgravPrivateTmp=true 6165b390aaSDag-Erling SmørgravProtectHome=true 625469a995SCy SchubertProtectClock=true 6365b390aaSDag-Erling SmørgravProtectControlGroups=true 645469a995SCy SchubertProtectKernelLogs=true 6565b390aaSDag-Erling SmørgravProtectKernelModules=true 6624e36522SCy Schubert# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. 6724e36522SCy SchubertProtectKernelTunables=false 685469a995SCy SchubertProtectProc=invisible 6965b390aaSDag-Erling SmørgravProtectSystem=strict 70091e9e46SCy SchubertRuntimeDirectory=unbound 71091e9e46SCy SchubertConfigurationDirectory=unbound 72091e9e46SCy SchubertStateDirectory=unbound 73369c6923SCy SchubertRestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 7465b390aaSDag-Erling SmørgravRestrictRealtime=true 7565b390aaSDag-Erling SmørgravSystemCallArchitectures=native 7665b390aaSDag-Erling SmørgravSystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 770eefd307SCy SchubertRestrictNamespaces=yes 780eefd307SCy SchubertLockPersonality=yes 790eefd307SCy SchubertRestrictSUIDSGID=yes 80091e9e46SCy SchubertReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ 81091e9e46SCy Schubert 82091e9e46SCy Schubert# Below rules are needed when chroot is enabled (usually it's enabled by default). 8325039b37SCy Schubert# If chroot is disabled like chroot: "" then they may be safely removed. 84091e9e46SCy SchubertTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro 85091e9e46SCy SchubertTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro 86091e9e46SCy SchubertBindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify 87091e9e46SCy SchubertBindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom 88091e9e46SCy SchubertBindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log 89