From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Fri, 24 Jan 2020 12:41:06 +0000 (+0100) Subject: unbound.service.in: add RuntimeDirectory and ConfigurationDirectory X-Git-Tag: release-1.10.0rc1~31^2~2^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1464bedce25f270508a3c9d921448afedc9ec9a2;p=thirdparty%2Funbound.git unbound.service.in: add RuntimeDirectory and ConfigurationDirectory Adding 'RuntimeDirectory' is needed when pidfile path is set to subdirectory under /run. Adding ConfigurationDirectory may help in some non-standard setups. Also add more descriptions about used rules to avoid user confusion about they meaning and purpose. --- diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index 13ca4b294..d0e294213 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -1,3 +1,44 @@ +; For further details about the directives used in this unit file, including +; the below, please refer to systemd's official documentation, available at +; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. +; +; +; - `ProtectSystem=strict` implies we mount the entire file system hierarchy +; read-only for the processes invoked by the unit except for the API file +; system subtrees /dev, /proc and /sys (which are protected by +; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +; +; - `PrivateTmp=yes` secures access to temporary files of the process, and +; makes sharing between processes via /tmp or /var/tmp impossible. +; +; - `ProtectHome=yes` makes the directories /home, /root, and /run/user +; inaccessible and empty for processes invoked by the unit. +; +; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies +; (accessible through /sys/fs/cgroup) read-only to all processes invoked by +; the unit. It also implies `MountAPIVFS=yes`. +; +; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the +; unit User and Group with read-write permissions (0755) as soon as the +; unit starts. This allows unbound to store its pidfile. The directory and +; its content are automatically removed by systemd when the unit stops. +; +; - `NoNewPrivileges=yes` ensures that the service process and all its +; children can never gain new privileges through execve(). +; +; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID +; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. +; +; - `RestrictRealTime=yes` ensures that any attempts to enable realtime +; scheduling in a process invoked by the unit will be denied. +; +; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing +; is prohibited. +; +; - `LockPersonality=yes` locks down the personality system call so that the +; kernel execution domain may not be changed from the default. +; +; [Unit] Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) @@ -22,12 +63,8 @@ ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict -ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro -BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify -BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom -BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log +RuntimeDirectory=unbound +ConfigurationDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native @@ -35,3 +72,17 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ + +# Below is needed when pidfile is stored directly under /run like /run/unbound.pid. +# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead +# then it may be safely removed. +ReadWritePaths=/run + +# Below rules are needed when chroot is enabled (usually it's enabled by default). +# If chroot is disabled like chrooot: "" then they may be safely removed. +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro +BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify +BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom +BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log