From c32b9e4ba95983146eac805719db720f02a64358 Mon Sep 17 00:00:00 2001
From: Bruno Pagani <bruno.n.pagani@gmail.com>
Date: Sun, 25 Jul 2021 03:17:18 +0000
Subject: [PATCH] unbound.service.in: upgrade hardening to latest standards
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Systemd gradually introduced new protection bits, let’s enable them.
---
 contrib/unbound.service.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index a4596978d..90ee708ce 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -60,8 +60,12 @@ NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectHome=true
+ProtectClock=true
 ProtectControlGroups=true
+ProtectKernelLogs=true
 ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
-- 
2.39.5