+; For further details about the directives used in this unit file, including
+; the below, please refer to systemd's official documentation, available at
+; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
+;
+;
+; - `ProtectSystem=strict` implies we mount the entire file system hierarchy
+; read-only for the processes invoked by the unit except for the API file
+; system subtrees /dev, /proc and /sys (which are protected by
+; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
+;
+; - `PrivateTmp=yes` secures access to temporary files of the process, and
+; makes sharing between processes via /tmp or /var/tmp impossible.
+;
+; - `ProtectHome=yes` makes the directories /home, /root, and /run/user
+; inaccessible and empty for processes invoked by the unit.
+;
+; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
+; (accessible through /sys/fs/cgroup) read-only to all processes invoked by
+; the unit. It also implies `MountAPIVFS=yes`.
+;
+; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
+; unit User and Group with read-write permissions (0755) as soon as the
+; unit starts. This allows unbound to store its pidfile. The directory and
+; its content are automatically removed by systemd when the unit stops.
+;
+; - `NoNewPrivileges=yes` ensures that the service process and all its
+; children can never gain new privileges through execve().
+;
+; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
+; (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
+;
+; - `RestrictRealTime=yes` ensures that any attempts to enable realtime
+; scheduling in a process invoked by the unit will be denied.
+;
+; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
+; is prohibited.
+;
+; - `LockPersonality=yes` locks down the personality system call so that the
+; kernel execution domain may not be changed from the default.
+;
+;
[Unit]
Description=Validating, recursive, and caching DNS resolver
Documentation=man:unbound(8)
ProtectControlGroups=true
ProtectKernelModules=true
ProtectSystem=strict
-ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
-TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
-TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
-BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
-BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
-BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
+ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
+
+# Below is needed when pidfile is stored directly under /run like /run/unbound.pid.
+# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead
+# then it may be safely removed.
+ReadWritePaths=/run
+
+# Below rules are needed when chroot is enabled (usually it's enabled by default).
+# If chroot is disabled like chrooot: "" then they may be safely removed.
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
+BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
+BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
+BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log
projects / thirdparty / unbound.git / commitdiff
