Add AF_NETLINK to set of allowed socket address families

contrib/unbound{,_portable}.service.in:
With the changes introduced in f6a527c25ad2e60e2dc129fff3605e6ec48c30f2
it is now necessary to also allow access to the AF_NETLINK socket
address family to be able to get information from interfaces.

Without the AF_NETLINK address family the systemd service errors with:

```
error: failed to list interfaces: getifaddrs: Address family not
supported by protocol
```

Fixes #350

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index c95ab94b343a92d301ba96c737aa9a55daa30f74..a4596978dbe2d2f7cfa91fd75a71fafb1a16a429 100644 (file)
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -66,7 +66,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources

diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in
index 998b66dec999f93284e09f07b9ea6ef605d31baa..e763763f02e1acb7af892e3c25e9457e6188dfbe 100644 (file)
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@@ -38,7 +38,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources