From 8eb50101046c6861f71dfdbe4d4bdaa9168c9650 Mon Sep 17 00:00:00 2001
From: Maryse47 <41080948+Maryse47@users.noreply.github.com>
Date: Wed, 3 Nov 2021 13:05:11 +0000
Subject: [PATCH] Disable ProtectKernelTunables again

This option was removed in https://github.com/NLnetLabs/unbound/commit/ff8fd0be5c529e7a1b84e8c74426e9c531c0a8f8 but reintroduced in https://github.com/NLnetLabs/unbound/commit/c32b9e4ba95983146eac805719db720f02a64358

Disable it with commentary in hope to prevent slipping it in again.
---
 contrib/unbound.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index 90ee708ce..ada5fac9c 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -64,7 +64,8 @@ ProtectClock=true
 ProtectControlGroups=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
-ProtectKernelTunables=true
+# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
+ProtectKernelTunables=false
 ProtectProc=invisible
 ProtectSystem=strict
 RuntimeDirectory=unbound
-- 
2.39.5