- Fix #1229: Systemd service sandboxing in contrib/unbound.service.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 6 Mar 2017 15:27:36 +0000 (15:27 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 6 Mar 2017 15:27:36 +0000 (15:27 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 6 Mar 2017 15:27:36 +0000 (15:27 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 6 Mar 2017 15:27:36 +0000 (15:27 +0000)
diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in

index b33c3706dd44c36e488094739f0bed5b31600d22..e5b716c61e29025a3dc5410d459e565c6b0fca2d 100644 (file)
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -6,3 +6,21 @@ ExecReload=/bin/kill -HUP $MAINPID
  
  [Install]
  WantedBy=multi-user.target
+
+[Unit]
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/unbound /run
+RestrictAddressFamilies=AF_INET AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+
diff --git a/doc/Changelog b/doc/Changelog

index 3c1801c29bbafbf7b35ada2c69093dd3396d29fd..87a0cc5281b6cc918745448b5c0aeac08ee00ab8 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+6 March 2017: Wouter
+       - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
+
  28 February 2017: Ralph
         - Fix testpkts.c, check if DO bit is set, not only if there is an OPT
           record.
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 6 Mar 2017 15:27:36 +0000 (15:27 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 6 Mar 2017 15:27:36 +0000 (15:27 +0000)
contrib/unbound.service.in		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history