11590Srgrimes; For further details about the directives used in this unit file, including 21590Srgrimes; the below, please refer to systemd's official documentation, available at 31590Srgrimes; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. 41590Srgrimes; 51590Srgrimes; 61590Srgrimes; - `ProtectSystem=strict` implies we mount the entire file system hierarchy 71590Srgrimes; read-only for the processes invoked by the unit except for the API file 81590Srgrimes; system subtrees /dev, /proc and /sys (which are protected by 91590Srgrimes; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). 101590Srgrimes; 111590Srgrimes; - `PrivateTmp=yes` secures access to temporary files of the process, and 121590Srgrimes; makes sharing between processes via /tmp or /var/tmp impossible. 131590Srgrimes; 141590Srgrimes; - `ProtectHome=yes` makes the directories /home, /root, and /run/user 151590Srgrimes; inaccessible and empty for processes invoked by the unit. 161590Srgrimes; 171590Srgrimes; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies 181590Srgrimes; (accessible through /sys/fs/cgroup) read-only to all processes invoked by 191590Srgrimes; the unit. It also implies `MountAPIVFS=yes`. 201590Srgrimes; 211590Srgrimes; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the 221590Srgrimes; unit User and Group with read-write permissions (0755) as soon as the 231590Srgrimes; unit starts. This allows unbound to store its pidfile. The directory and 241590Srgrimes; its content are automatically removed by systemd when the unit stops. 251590Srgrimes; 261590Srgrimes; - `NoNewPrivileges=yes` ensures that the service process and all its 271590Srgrimes; children can never gain new privileges through execve(). 281590Srgrimes; 291590Srgrimes; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID 301590Srgrimes; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. 311590Srgrimes; 321590Srgrimes; - `RestrictRealTime=yes` ensures that any attempts to enable realtime 331590Srgrimes; scheduling in a process invoked by the unit will be denied. 341590Srgrimes; 351590Srgrimes; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing 361590Srgrimes; is prohibited. 371590Srgrimes; 381590Srgrimes; - `LockPersonality=yes` locks down the personality system call so that the 391590Srgrimes; kernel execution domain may not be changed from the default. 401590Srgrimes; 411590Srgrimes; 421590Srgrimes[Unit] 431590SrgrimesDescription=Validating, recursive, and caching DNS resolver 441590SrgrimesDocumentation=man:unbound(8) 451590SrgrimesAfter=network.target 461590SrgrimesBefore=network-online.target nss-lookup.target 471590Srgrimes 4817351Sjdp[Install] 4917351SjdpWantedBy=multi-user.target 5017351Sjdp 511590Srgrimes[Service] 521590SrgrimesExecReload=+/bin/kill -HUP $MAINPID 5317351SjdpExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 5417351SjdpNotifyAccess=main 551590SrgrimesType=notify 561590SrgrimesCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 571590SrgrimesMemoryDenyWriteExecute=true 581590SrgrimesNoNewPrivileges=true 591590SrgrimesPrivateDevices=true 601590SrgrimesPrivateTmp=true 611590SrgrimesProtectHome=true 621590SrgrimesProtectClock=true 631590SrgrimesProtectControlGroups=true 641590SrgrimesProtectKernelLogs=true 651590SrgrimesProtectKernelModules=true 661590Srgrimes# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. 671590SrgrimesProtectKernelTunables=false 681590SrgrimesProtectProc=invisible 691590SrgrimesProtectSystem=strict 701590SrgrimesRuntimeDirectory=unbound 711590SrgrimesConfigurationDirectory=unbound 721590SrgrimesStateDirectory=unbound 731590SrgrimesRestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 741590SrgrimesRestrictRealtime=true 751590SrgrimesSystemCallArchitectures=native 761590SrgrimesSystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 771590SrgrimesRestrictNamespaces=yes 781590SrgrimesLockPersonality=yes 791590SrgrimesRestrictSUIDSGID=yes 801590SrgrimesReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ 811590Srgrimes 821590Srgrimes# Below rules are needed when chroot is enabled (usually it's enabled by default). 831590Srgrimes# If chroot is disabled like chroot: "" then they may be safely removed. 841590SrgrimesTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro 851590SrgrimesTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro 861590SrgrimesBindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify 871590SrgrimesBindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom 881590SrgrimesBindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log 891590Srgrimes