unbound.service.in: add RuntimeDirectory and ConfigurationDirectory

Adding 'RuntimeDirectory' is needed when pidfile path is set to
subdirectory under /run.

Adding ConfigurationDirectory may help in some non-standard setups.

Also add more descriptions about used rules to avoid user confusion
about they meaning and purpose.

contrib/unbound.service.in

@@ -1,3 +1,44 @@
+; For further details about the directives used in this unit file, including
+; the below, please refer to systemd's official documentation, available at
+; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
+;
+;
+;   - `ProtectSystem=strict` implies we mount the entire file system hierarchy
+;     read-only for the processes invoked by the unit except for the API file
+;     system subtrees /dev, /proc and /sys (which are protected by
+;     PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
+;
+;   - `PrivateTmp=yes` secures access to temporary files of the process, and
+;     makes sharing between processes via /tmp or /var/tmp impossible.
+;
+;   - `ProtectHome=yes` makes the directories /home, /root, and /run/user
+;     inaccessible and empty for processes invoked by the unit.
+;
+;   - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
+;     (accessible through /sys/fs/cgroup) read-only to all processes invoked by
+;     the unit. It also implies `MountAPIVFS=yes`.
+;
+;   - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
+;     unit User and Group with read-write permissions (0755) as soon as the
+;     unit starts. This allows unbound to store its pidfile. The directory and
+;     its content are automatically removed by systemd when the unit stops.
+;
+;   - `NoNewPrivileges=yes` ensures that the service process and all its
+;     children can never gain new privileges through execve().
+;
+;   - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
+;     (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
+;
+;   - `RestrictRealTime=yes` ensures that any attempts to enable realtime
+;     scheduling in a process invoked by the unit will be denied.
+;
+;   - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
+;     is prohibited.
+;
+;   - `LockPersonality=yes` locks down the personality system call so that the
+;     kernel execution domain may not be changed from the default.
+;
+;
 [Unit]
 Description=Validating, recursive, and caching DNS resolver
 Documentation=man:unbound(8)
@@ -22,12 +63,8 @@ ProtectHome=true
 ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectSystem=strict
-ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
-TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
-TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
-BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
-BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
-BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
@@ -35,3 +72,17 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete
 RestrictNamespaces=yes
 LockPersonality=yes
 RestrictSUIDSGID=yes
+ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
+
+# Below is needed when pidfile is stored directly under /run like /run/unbound.pid.
+# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead
+# then it may be safely removed.
+ReadWritePaths=/run
+
+# Below rules are needed when chroot is enabled (usually it's enabled by default).
+# If chroot is disabled like chrooot: "" then they may be safely removed.
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
+BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
+BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
+BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log