1; For further details about the directives used in this unit file, including 2; the below, please refer to systemd's official documentation, available at 3; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. 4; 5; 6; - `ProtectSystem=strict` implies we mount the entire file system hierarchy 7; read-only for the processes invoked by the unit except for the API file 8; system subtrees /dev, /proc and /sys (which are protected by 9; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). 10; 11; - `PrivateTmp=yes` secures access to temporary files of the process, and 12; makes sharing between processes via /tmp or /var/tmp impossible. 13; 14; - `ProtectHome=yes` makes the directories /home, /root, and /run/user 15; inaccessible and empty for processes invoked by the unit. 16; 17; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies 18; (accessible through /sys/fs/cgroup) read-only to all processes invoked by 19; the unit. It also implies `MountAPIVFS=yes`. 20; 21; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the 22; unit User and Group with read-write permissions (0755) as soon as the 23; unit starts. This allows unbound to store its pidfile. The directory and 24; its content are automatically removed by systemd when the unit stops. 25; 26; - `NoNewPrivileges=yes` ensures that the service process and all its 27; children can never gain new privileges through execve(). 28; 29; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID 30; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. 31; 32; - `RestrictRealTime=yes` ensures that any attempts to enable realtime 33; scheduling in a process invoked by the unit will be denied. 34; 35; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing 36; is prohibited. 37; 38; - `LockPersonality=yes` locks down the personality system call so that the 39; kernel execution domain may not be changed from the default. 40; 41; 42[Unit] 43Description=Validating, recursive, and caching DNS resolver 44Documentation=man:unbound(8) 45After=network.target 46Before=network-online.target nss-lookup.target 47 48[Install] 49WantedBy=multi-user.target 50 51[Service] 52ExecReload=+/bin/kill -HUP $MAINPID 53ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 54NotifyAccess=main 55Type=notify 56CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 57MemoryDenyWriteExecute=true 58NoNewPrivileges=true 59PrivateDevices=true 60PrivateTmp=true 61ProtectHome=true 62ProtectClock=true 63ProtectControlGroups=true 64ProtectKernelLogs=true 65ProtectKernelModules=true 66# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. 67ProtectKernelTunables=false 68ProtectProc=invisible 69ProtectSystem=strict 70RuntimeDirectory=unbound 71ConfigurationDirectory=unbound 72StateDirectory=unbound 73RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 74RestrictRealtime=true 75SystemCallArchitectures=native 76SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 77RestrictNamespaces=yes 78LockPersonality=yes 79RestrictSUIDSGID=yes 80ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ 81 82# Below rules are needed when chroot is enabled (usually it's enabled by default). 83# If chroot is disabled like chroot: "" then they may be safely removed. 84TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro 85TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro 86BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify 87BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom 88BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log 89