1; For further details about the directives used in this unit file, including
2; the below, please refer to systemd's official documentation, available at
3; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
4;
5;
6;   - `ProtectSystem=strict` implies we mount the entire file system hierarchy
7;     read-only for the processes invoked by the unit except for the API file
8;     system subtrees /dev, /proc and /sys (which are protected by
9;     PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
10;
11;   - `PrivateTmp=yes` secures access to temporary files of the process, and
12;     makes sharing between processes via /tmp or /var/tmp impossible.
13;
14;   - `ProtectHome=yes` makes the directories /home, /root, and /run/user
15;     inaccessible and empty for processes invoked by the unit.
16;
17;   - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
18;     (accessible through /sys/fs/cgroup) read-only to all processes invoked by
19;     the unit. It also implies `MountAPIVFS=yes`.
20;
21;   - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
22;     unit User and Group with read-write permissions (0755) as soon as the
23;     unit starts. This allows unbound to store its pidfile. The directory and
24;     its content are automatically removed by systemd when the unit stops.
25;
26;   - `NoNewPrivileges=yes` ensures that the service process and all its
27;     children can never gain new privileges through execve().
28;
29;   - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
30;     (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
31;
32;   - `RestrictRealTime=yes` ensures that any attempts to enable realtime
33;     scheduling in a process invoked by the unit will be denied.
34;
35;   - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
36;     is prohibited.
37;
38;   - `LockPersonality=yes` locks down the personality system call so that the
39;     kernel execution domain may not be changed from the default.
40;
41;
42[Unit]
43Description=Validating, recursive, and caching DNS resolver
44Documentation=man:unbound(8)
45After=network.target
46Before=network-online.target nss-lookup.target
47
48[Install]
49WantedBy=multi-user.target
50
51[Service]
52ExecReload=+/bin/kill -HUP $MAINPID
53ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
54NotifyAccess=main
55Type=notify
56CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
57MemoryDenyWriteExecute=true
58NoNewPrivileges=true
59PrivateDevices=true
60PrivateTmp=true
61ProtectHome=true
62ProtectClock=true
63ProtectControlGroups=true
64ProtectKernelLogs=true
65ProtectKernelModules=true
66# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
67ProtectKernelTunables=false
68ProtectProc=invisible
69ProtectSystem=strict
70RuntimeDirectory=unbound
71ConfigurationDirectory=unbound
72StateDirectory=unbound
73RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
74RestrictRealtime=true
75SystemCallArchitectures=native
76SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
77RestrictNamespaces=yes
78LockPersonality=yes
79RestrictSUIDSGID=yes
80ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
81
82# Below rules are needed when chroot is enabled (usually it's enabled by default).
83# If chroot is disabled like chroot: "" then they may be safely removed.
84TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
85TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
86BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
87BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
88BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log
89