From: Maryse47 <41080948+Maryse47@users.noreply.github.com>
Date: Wed, 3 Nov 2021 13:05:11 +0000 (+0000)
Subject: Disable ProtectKernelTunables again
X-Git-Tag: release-1.14.0rc1~29^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F565%2Fhead;p=thirdparty%2Funbound.git

Disable ProtectKernelTunables again

This option was removed in https://github.com/NLnetLabs/unbound/commit/ff8fd0be5c529e7a1b84e8c74426e9c531c0a8f8 but reintroduced in https://github.com/NLnetLabs/unbound/commit/c32b9e4ba95983146eac805719db720f02a64358

Disable it with commentary in hope to prevent slipping it in again.
---

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index 90ee708ce..ada5fac9c 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -64,7 +64,8 @@ ProtectClock=true
 ProtectControlGroups=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
-ProtectKernelTunables=true
+# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
+ProtectKernelTunables=false
 ProtectProc=invisible
 ProtectSystem=strict
 RuntimeDirectory=unbound