unbound.service.in revision 356345
1[Unit] 2Description=Validating, recursive, and caching DNS resolver 3Documentation=man:unbound(8) 4After=network.target 5Before=network-online.target nss-lookup.target 6Wants=nss-lookup.target 7 8[Install] 9WantedBy=multi-user.target 10 11[Service] 12ExecReload=+/bin/kill -HUP $MAINPID 13ExecStart=@UNBOUND_SBIN_DIR@/unbound -d 14NotifyAccess=main 15Type=notify 16CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 17MemoryDenyWriteExecute=true 18NoNewPrivileges=true 19PrivateDevices=true 20PrivateTmp=true 21ProtectHome=true 22ProtectControlGroups=true 23ProtectKernelModules=true 24ProtectSystem=strict 25ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ 26TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro 27TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro 28BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify 29BindPaths=-@UNBOUND_PIDFILE@:@UNBOUND_CHROOT_DIR@@UNBOUND_PIDFILE@ 30BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom 31BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log 32RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX 33RestrictRealtime=true 34SystemCallArchitectures=native 35SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 36RestrictNamespaces=yes 37LockPersonality=yes 38RestrictSUIDSGID=yes 39