1561252a2Schristos; For further details about the directives used in this unit file, including 2561252a2Schristos; the below, please refer to systemd's official documentation, available at 3561252a2Schristos; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. 4561252a2Schristos; 5561252a2Schristos; 6561252a2Schristos; - `ProtectSystem=strict` implies we mount the entire file system hierarchy 7561252a2Schristos; read-only for the processes invoked by the unit except for the API file 8561252a2Schristos; system subtrees /dev, /proc and /sys (which are protected by 9561252a2Schristos; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). 10561252a2Schristos; 11561252a2Schristos; - `PrivateTmp=yes` secures access to temporary files of the process, and 12561252a2Schristos; makes sharing between processes via /tmp or /var/tmp impossible. 13561252a2Schristos; 14561252a2Schristos; - `ProtectHome=yes` makes the directories /home, /root, and /run/user 15561252a2Schristos; inaccessible and empty for processes invoked by the unit. 16561252a2Schristos; 17561252a2Schristos; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies 18561252a2Schristos; (accessible through /sys/fs/cgroup) read-only to all processes invoked by 19561252a2Schristos; the unit. It also implies `MountAPIVFS=yes`. 20561252a2Schristos; 21561252a2Schristos; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the 22561252a2Schristos; unit User and Group with read-write permissions (0755) as soon as the 23561252a2Schristos; unit starts. This allows unbound to store its pidfile. The directory and 24561252a2Schristos; its content are automatically removed by systemd when the unit stops. 25561252a2Schristos; 26561252a2Schristos; - `NoNewPrivileges=yes` ensures that the service process and all its 27561252a2Schristos; children can never gain new privileges through execve(). 28561252a2Schristos; 29561252a2Schristos; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID 30561252a2Schristos; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. 31561252a2Schristos; 32561252a2Schristos; - `RestrictRealTime=yes` ensures that any attempts to enable realtime 33561252a2Schristos; scheduling in a process invoked by the unit will be denied. 34561252a2Schristos; 35561252a2Schristos; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing 36561252a2Schristos; is prohibited. 37561252a2Schristos; 38561252a2Schristos; - `LockPersonality=yes` locks down the personality system call so that the 39561252a2Schristos; kernel execution domain may not be changed from the default. 40561252a2Schristos; 41561252a2Schristos; 42762909a6Schristos[Unit] 43762909a6SchristosDescription=Validating, recursive, and caching DNS resolver 44762909a6SchristosDocumentation=man:unbound(8) 45561252a2SchristosAfter=network-online.target 46561252a2SchristosBefore=nss-lookup.target 47561252a2SchristosWants=network-online.target nss-lookup.target 48762909a6Schristos 49762909a6Schristos[Install] 50762909a6SchristosWantedBy=multi-user.target 51762909a6Schristos 52762909a6Schristos[Service] 53f337475aSchristosExecReload=+/bin/kill -HUP $MAINPID 54561252a2SchristosExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 55762909a6SchristosNotifyAccess=main 56762909a6SchristosType=notify 57561252a2SchristosCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 58762909a6SchristosMemoryDenyWriteExecute=true 59762909a6SchristosNoNewPrivileges=true 60762909a6SchristosPrivateDevices=true 61762909a6SchristosPrivateTmp=true 62762909a6SchristosProtectHome=true 63*17b85d8bSchristosProtectClock=true 64762909a6SchristosProtectControlGroups=true 65*17b85d8bSchristosProtectKernelLogs=true 66762909a6SchristosProtectKernelModules=true 67*17b85d8bSchristos# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. 68*17b85d8bSchristosProtectKernelTunables=false 69*17b85d8bSchristosProtectProc=invisible 70762909a6SchristosProtectSystem=strict 71561252a2SchristosRuntimeDirectory=unbound 72561252a2SchristosConfigurationDirectory=unbound 73561252a2SchristosStateDirectory=unbound 74561252a2SchristosRestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 75762909a6SchristosRestrictRealtime=true 76762909a6SchristosSystemCallArchitectures=native 77762909a6SchristosSystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 78f337475aSchristosRestrictNamespaces=yes 79f337475aSchristosLockPersonality=yes 80f337475aSchristosRestrictSUIDSGID=yes 81561252a2SchristosReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ 82561252a2Schristos 83561252a2Schristos# Below rules are needed when chroot is enabled (usually it's enabled by default). 84561252a2Schristos# If chroot is disabled like chroot: "" then they may be safely removed. 85561252a2SchristosTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro 86561252a2SchristosTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro 87561252a2SchristosBindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify 88561252a2SchristosBindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom 89561252a2SchristosBindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log 90