upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #4142: unbound.service.in: improvements and fixes.

Browse source 
Add unit dependency ordering (based on systemd-resolved).
  Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
  about missing privileges during startup). Add 'AF_INET6' to
  'RestrictAddressFamilies' (without it IPV6 can't work). From
  Guido Shanahan.


git-svn-id: file:///svn/unbound/trunk@4834 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-08-07 08:30:22 +00:00
parent ce04bcb463
commit 070019c9be
2 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
contrib/unbound.service.in
View file

@ -1,6 +1,9 @@
[Unit] [Unit]
Description=Validating, recursive, and caching DNS resolver Description=Validating, recursive, and caching DNS resolver
Documentation=man:unbound(8) Documentation=man:unbound(8)
After=network.target
Before=network-online.target nss-lookup.target
Wants=nss-lookup.target
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
@ -10,7 +13,7 @@ ExecReload=/bin/kill -HUP $MAINPID
ExecStart=@UNBOUND_SBIN_DIR@/unbound ExecStart=@UNBOUND_SBIN_DIR@/unbound
NotifyAccess=main NotifyAccess=main
Type=notify Type=notify
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
NoNewPrivileges=true NoNewPrivileges=true
PrivateDevices=true PrivateDevices=true
@ -21,7 +24,7 @@ ProtectKernelModules=true
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@ ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
RestrictAddressFamilies=AF_INET AF_UNIX RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictRealtime=true RestrictRealtime=true
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources

8
doc/Changelog
View file

@ -1,3 +1,11 @@
7 August 2018: Wouter
- Fix #4142: unbound.service.in: improvements and fixes.
Add unit dependency ordering (based on systemd-resolved).
Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
about missing privileges during startup). Add 'AF_INET6' to
'RestrictAddressFamilies' (without it IPV6 can't work). From
Guido Shanahan.
6 August 2018: Wouter 6 August 2018: Wouter
- Fix for #4136: Fix to unconditionally call destroy in daemon.c. - Fix for #4136: Fix to unconditionally call destroy in daemon.c.