From 72bfa5a48c309443a5eb62f8cfc2cd1219eb1401 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Sat, 25 Jan 2020 00:48:25 +0100 Subject: [PATCH] Move unbound_nochroot.service to unbound_portable.service The real purpose of this service is to make it work with https://systemd.io/PORTABLE_SERVICES/ which are incompatible with chroot workarounds from original unbound.service. The service content is identical to unbound.service with exception for chroot related rules which were modified as needed. --- configure | 4 +- configure.ac | 2 +- contrib/README | 5 +- contrib/unbound_nochroot.service.in | 97 ----------------------------- contrib/unbound_portable.service.in | 50 +++++++++++++++ 5 files changed, 55 insertions(+), 103 deletions(-) delete mode 100644 contrib/unbound_nochroot.service.in create mode 100644 contrib/unbound_portable.service.in diff --git a/configure b/configure index d5f8d8cee..cc9ac46e8 100755 --- a/configure +++ b/configure @@ -21441,7 +21441,7 @@ version=1.9.7 date=`date +'%b %e, %Y'` -ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service" +ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service" ac_config_headers="$ac_config_headers config.h" @@ -22447,7 +22447,7 @@ do "contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;; "contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;; "contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;; - "contrib/unbound_nochroot.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_nochroot.service" ;; + "contrib/unbound_portable.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_portable.service" ;; "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index a356dcf7d..47a86c560 100644 --- a/configure.ac +++ b/configure.ac @@ -2056,6 +2056,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO]) AC_SUBST(date, [`date +'%b %e, %Y'`]) -AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service]) +AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT diff --git a/contrib/README b/contrib/README index 1dce78c09..d8afceabd 100644 --- a/contrib/README +++ b/contrib/README @@ -31,9 +31,8 @@ distribution but may be helpful. Contributed by Yuri Voinov. * unbound.socket and unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov. -* unbound_nochroot.service.in: systemd file for use with chroot: "", see - comments in the file, it uses systemd protections instead. Contributed - by Frzk. +* unbound_portable.service.in: systemd file for use unbound as portable service, + see comments in the file. Contributed by Frzk. * redirect-bogus.patch: Return configured address for bogus A and AAAA answers, instead of SERVFAIL. Contributed by SIDN. * fastrpz.patch: fastrpz support from Farsight Security. diff --git a/contrib/unbound_nochroot.service.in b/contrib/unbound_nochroot.service.in deleted file mode 100644 index 301062e38..000000000 --- a/contrib/unbound_nochroot.service.in +++ /dev/null @@ -1,97 +0,0 @@ -; This unit file is provided to run unbound without chroot. -; -; To use this unit file, please make sure you either compile unbound with the -; following options: -; -; - --with-pidfile=/run/unbound/unbound.pid -; - --with-chroot-dir="" -; -; Or put the following options in your unbound configuration file: -; -; - chroot: "" -; - pidfile: /run/unbound/unbound.pid -; -; Running without the chroot doesn't mean it's less secure. Simply put, we will -; instead rely on a few systemd directives to harden the service. -; To quote systemd : it's like a chroot on steroids ! -; -; The most important parts are : -; -; - `ProtectSystem=strict` implies we mount the entire file system hierarchy -; read-only for the processes invoked by the unit except for the API file -; system subtrees /dev, /proc and /sys (which are protected by -; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). -; -; - `PrivateTmp=yes` secures access to temporary files of the process, and -; makes sharing between processes via /tmp or /var/tmp impossible. -; -; - `ProtectHome=yes` makes the directories /home, /root, and /run/user -; inaccessible and empty for processes invoked by the unit. -; -; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies -; (accessible through /sys/fs/cgroup) read-only to all processes invoked by -; the unit. It also implies `MountAPIVFS=yes`. -; -; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the -; unit User and Group with read-write permissions (0755) as soon as the -; unit starts. This allows unbound to store its pidfile. The directory and -; its content are automatically removed by systemd when the unit stops. -; -; - `NoNewPrivileges=yes` ensures that the service process and all its -; children can never gain new privileges through execve(). -; -; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID -; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. -; -; - `RestrictRealTime=yes` ensures that any attempts to enable realtime -; scheduling in a process invoked by the unit will be denied. -; -; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing -; is prohibited. -; -; - `LockPersonality=yes` locks down the personality system call so that the -; kernel execution domain may not be changed from the default. -; -; -; For further details about the directives used in this unit file, including -; the above, please refer to systemd's official documentation, available at -; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. -; -; -[Unit] -Description=Validating, recursive, and caching DNS resolver -Documentation=man:unbound(8) -After=network.target -Before=network-online.target nss-lookup.target -Wants=nss-lookup.target - -[Install] -WantedBy=multi-user.target - -[Service] -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -ExecReload=+/bin/kill -HUP $MAINPID -ExecStop=+/bin/kill -TERM $MAINPID -NotifyAccess=main -Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \ - CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW -MemoryDenyWriteExecute=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -ProtectHome=true -ProtectControlGroups=true -ProtectKernelModules=true -ProtectSystem=strict -ConfigurationDirectory=unbound -RuntimeDirectory=unbound -BindPaths=/run/systemd/notify -BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources -RestrictNamespaces=yes -LockPersonality=yes -RestrictSUIDSGID=yes diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in new file mode 100644 index 000000000..53dc8701b --- /dev/null +++ b/contrib/unbound_portable.service.in @@ -0,0 +1,50 @@ +; This unit file is provided to run unbound as portable service. +; https://systemd.io/PORTABLE_SERVICES/ +; +; To use this unit file, please make sure you either compile unbound with the +; following options: +; +; - --with-pidfile=/run/unbound/unbound.pid +; - --with-chroot-dir="" +; +; Or put the following options in your unbound configuration file: +; +; - chroot: "" +; - pidfile: /run/unbound/unbound.pid +; +; +[Unit] +Description=Validating, recursive, and caching DNS resolver +Documentation=man:unbound(8) +After=network.target +Before=network-online.target nss-lookup.target +Wants=nss-lookup.target + +[Install] +WantedBy=multi-user.target + +[Service] +ExecReload=+/bin/kill -HUP $MAINPID +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +NotifyAccess=main +Type=notify +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectSystem=strict +RuntimeDirectory=unbound +ConfigurationDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes +BindPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout -- 2.47.3