From: François KUBLER Date: Thu, 23 Jan 2020 14:46:53 +0000 (+0100) Subject: Added a new unit file to run unbound with systemd and without chroot. X-Git-Tag: release-1.10.0rc1~49^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=016f742f16bc3ea6e4cbafaf8b3e479581d3d6b1;p=thirdparty%2Funbound.git Added a new unit file to run unbound with systemd and without chroot. See https://github.com/NLnetLabs/unbound/pull/149 --- diff --git a/contrib/unbound_nochroot.service.in b/contrib/unbound_nochroot.service.in new file mode 100644 index 000000000..301062e38 --- /dev/null +++ b/contrib/unbound_nochroot.service.in @@ -0,0 +1,97 @@ +; This unit file is provided to run unbound without chroot. +; +; To use this unit file, please make sure you either compile unbound with the +; following options: +; +; - --with-pidfile=/run/unbound/unbound.pid +; - --with-chroot-dir="" +; +; Or put the following options in your unbound configuration file: +; +; - chroot: "" +; - pidfile: /run/unbound/unbound.pid +; +; Running without the chroot doesn't mean it's less secure. Simply put, we will +; instead rely on a few systemd directives to harden the service. +; To quote systemd : it's like a chroot on steroids ! +; +; The most important parts are : +; +; - `ProtectSystem=strict` implies we mount the entire file system hierarchy +; read-only for the processes invoked by the unit except for the API file +; system subtrees /dev, /proc and /sys (which are protected by +; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +; +; - `PrivateTmp=yes` secures access to temporary files of the process, and +; makes sharing between processes via /tmp or /var/tmp impossible. +; +; - `ProtectHome=yes` makes the directories /home, /root, and /run/user +; inaccessible and empty for processes invoked by the unit. +; +; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies +; (accessible through /sys/fs/cgroup) read-only to all processes invoked by +; the unit. It also implies `MountAPIVFS=yes`. +; +; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the +; unit User and Group with read-write permissions (0755) as soon as the +; unit starts. This allows unbound to store its pidfile. The directory and +; its content are automatically removed by systemd when the unit stops. +; +; - `NoNewPrivileges=yes` ensures that the service process and all its +; children can never gain new privileges through execve(). +; +; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID +; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. +; +; - `RestrictRealTime=yes` ensures that any attempts to enable realtime +; scheduling in a process invoked by the unit will be denied. +; +; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing +; is prohibited. +; +; - `LockPersonality=yes` locks down the personality system call so that the +; kernel execution domain may not be changed from the default. +; +; +; For further details about the directives used in this unit file, including +; the above, please refer to systemd's official documentation, available at +; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. +; +; +[Unit] +Description=Validating, recursive, and caching DNS resolver +Documentation=man:unbound(8) +After=network.target +Before=network-online.target nss-lookup.target +Wants=nss-lookup.target + +[Install] +WantedBy=multi-user.target + +[Service] +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +ExecReload=+/bin/kill -HUP $MAINPID +ExecStop=+/bin/kill -TERM $MAINPID +NotifyAccess=main +Type=notify +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \ + CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectSystem=strict +ConfigurationDirectory=unbound +RuntimeDirectory=unbound +BindPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes