unbound.service.in revision 361435
1184610Salfred; For further details about the directives used in this unit file, including 2184610Salfred; the below, please refer to systemd's official documentation, available at 3184610Salfred; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. 4184610Salfred; 5184610Salfred; 6184610Salfred; - `ProtectSystem=strict` implies we mount the entire file system hierarchy 7184610Salfred; read-only for the processes invoked by the unit except for the API file 8184610Salfred; system subtrees /dev, /proc and /sys (which are protected by 9184610Salfred; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). 10184610Salfred; 11184610Salfred; - `PrivateTmp=yes` secures access to temporary files of the process, and 12184610Salfred; makes sharing between processes via /tmp or /var/tmp impossible. 13184610Salfred; 14184610Salfred; - `ProtectHome=yes` makes the directories /home, /root, and /run/user 15184610Salfred; inaccessible and empty for processes invoked by the unit. 16184610Salfred; 17184610Salfred; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies 18184610Salfred; (accessible through /sys/fs/cgroup) read-only to all processes invoked by 19184610Salfred; the unit. It also implies `MountAPIVFS=yes`. 20184610Salfred; 21184610Salfred; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the 22184610Salfred; unit User and Group with read-write permissions (0755) as soon as the 23184610Salfred; unit starts. This allows unbound to store its pidfile. The directory and 24184610Salfred; its content are automatically removed by systemd when the unit stops. 25184610Salfred; 26184610Salfred; - `NoNewPrivileges=yes` ensures that the service process and all its 27184610Salfred; children can never gain new privileges through execve(). 28184610Salfred; 29184610Salfred; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID 30184610Salfred; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. 31184610Salfred; 32184610Salfred; - `RestrictRealTime=yes` ensures that any attempts to enable realtime 33184610Salfred; scheduling in a process invoked by the unit will be denied. 34184610Salfred; 35184610Salfred; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing 36184610Salfred; is prohibited. 37184610Salfred; 38184610Salfred; - `LockPersonality=yes` locks down the personality system call so that the 39184610Salfred; kernel execution domain may not be changed from the default. 40184610Salfred; 41184610Salfred; 42184610Salfred[Unit] 43184610SalfredDescription=Validating, recursive, and caching DNS resolver 44194677SthompsaDocumentation=man:unbound(8) 45194677SthompsaAfter=network.target 46194677SthompsaBefore=network-online.target nss-lookup.target 47194677SthompsaWants=nss-lookup.target 48194677Sthompsa 49194677Sthompsa[Install] 50194677SthompsaWantedBy=multi-user.target 51194677Sthompsa 52194677Sthompsa[Service] 53194677SthompsaExecReload=+/bin/kill -HUP $MAINPID 54194677SthompsaExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 55194677SthompsaNotifyAccess=main 56194677SthompsaType=notify 57194677SthompsaCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 58194677SthompsaMemoryDenyWriteExecute=true 59194677SthompsaNoNewPrivileges=true 60194677SthompsaPrivateDevices=true 61194677SthompsaPrivateTmp=true 62198152SthompsaProtectHome=true 63194677SthompsaProtectControlGroups=true 64188942SthompsaProtectKernelModules=true 65194677SthompsaProtectSystem=strict 66194677SthompsaRuntimeDirectory=unbound 67188942SthompsaConfigurationDirectory=unbound 68184610SalfredStateDirectory=unbound 69184610SalfredRestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX 70188942SthompsaRestrictRealtime=true 71184610SalfredSystemCallArchitectures=native 72188942SthompsaSystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 73184610SalfredRestrictNamespaces=yes 74184610SalfredLockPersonality=yes 75184610SalfredRestrictSUIDSGID=yes 76184610SalfredReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ 77184610Salfred 78184610Salfred# Below rules are needed when chroot is enabled (usually it's enabled by default). 79184610Salfred# If chroot is disabled like chrooot: "" then they may be safely removed. 80184610SalfredTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro 81184610SalfredTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro 82184610SalfredBindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify 83184610SalfredBindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom 84184610SalfredBindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log 85184610Salfred