--- /dev/null
+; This unit file is provided to run unbound without chroot.
+;
+; To use this unit file, please make sure you either compile unbound with the
+; following options:
+;
+; - --with-pidfile=/run/unbound/unbound.pid
+; - --with-chroot-dir=""
+;
+; Or put the following options in your unbound configuration file:
+;
+; - chroot: ""
+; - pidfile: /run/unbound/unbound.pid
+;
+; Running without the chroot doesn't mean it's less secure. Simply put, we will
+; instead rely on a few systemd directives to harden the service.
+; To quote systemd : it's like a chroot on steroids !
+;
+; The most important parts are :
+;
+; - `ProtectSystem=strict` implies we mount the entire file system hierarchy
+; read-only for the processes invoked by the unit except for the API file
+; system subtrees /dev, /proc and /sys (which are protected by
+; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
+;
+; - `PrivateTmp=yes` secures access to temporary files of the process, and
+; makes sharing between processes via /tmp or /var/tmp impossible.
+;
+; - `ProtectHome=yes` makes the directories /home, /root, and /run/user
+; inaccessible and empty for processes invoked by the unit.
+;
+; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
+; (accessible through /sys/fs/cgroup) read-only to all processes invoked by
+; the unit. It also implies `MountAPIVFS=yes`.
+;
+; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
+; unit User and Group with read-write permissions (0755) as soon as the
+; unit starts. This allows unbound to store its pidfile. The directory and
+; its content are automatically removed by systemd when the unit stops.
+;
+; - `NoNewPrivileges=yes` ensures that the service process and all its
+; children can never gain new privileges through execve().
+;
+; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
+; (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
+;
+; - `RestrictRealTime=yes` ensures that any attempts to enable realtime
+; scheduling in a process invoked by the unit will be denied.
+;
+; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
+; is prohibited.
+;
+; - `LockPersonality=yes` locks down the personality system call so that the
+; kernel execution domain may not be changed from the default.
+;
+;
+; For further details about the directives used in this unit file, including
+; the above, please refer to systemd's official documentation, available at
+; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
+;
+;
+[Unit]
+Description=Validating, recursive, and caching DNS resolver
+Documentation=man:unbound(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+ExecReload=+/bin/kill -HUP $MAINPID
+ExecStop=+/bin/kill -TERM $MAINPID
+NotifyAccess=main
+Type=notify
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \
+ CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=strict
+ConfigurationDirectory=unbound
+RuntimeDirectory=unbound
+BindPaths=/run/systemd/notify
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
projects / thirdparty / unbound.git / commitdiff
