From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 6 Mar 2017 15:27:36 +0000 (+0000)
Subject: - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
X-Git-Tag: release-1.6.2rc1~82
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e6e9a01552ab919ef7bad11e6a37ce9b69f6c8e;p=thirdparty%2Funbound.git

- Fix #1229: Systemd service sandboxing in contrib/unbound.service.


git-svn-id: file:///svn/unbound/trunk@4032 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index b33c3706d..e5b716c61 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -6,3 +6,21 @@ ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]
 WantedBy=multi-user.target
+
+[Unit]
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/unbound /run
+RestrictAddressFamilies=AF_INET AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+
diff --git a/doc/Changelog b/doc/Changelog
index 3c1801c29..87a0cc528 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+6 March 2017: Wouter
+	- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
+
 28 February 2017: Ralph
 	- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
 	  record.