Move unbound_nochroot.service to unbound_portable.service

The real purpose of this service is to make it work with https://systemd.io/PORTABLE_SERVICES/ which are incompatible with chroot workarounds from original unbound.service. The service content is identical to unbound.service with exception for chroot related rules which were modified as needed.
2025-12-20 23:00:56 -05:00 · 2020-01-25 00:48:25 +01:00 · 2020-01-25 00:48:25 +01:00 · 72bfa5a48c
commit 72bfa5a48c
parent 1464bedce2
5 changed files with 55 additions and 103 deletions
--- a/4
+++ b/4
@ -21441,7 +21441,7 @@ version=1.9.7
 date=`date +'%b %e, %Y'`


-ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service"
+ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service"

 ac_config_headers="$ac_config_headers config.h"

@ -22447,7 +22447,7 @@ do
    "contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;;
    "contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;;
    "contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;;
-    "contrib/unbound_nochroot.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_nochroot.service" ;;
+    "contrib/unbound_portable.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_portable.service" ;;
    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;

  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
--- a/configure.ac
+++ b/configure.ac
@ -2056,6 +2056,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh
 AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO])
 AC_SUBST(date, [`date +'%b %e, %Y'`])

-AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service])
+AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service])
 AC_CONFIG_HEADER([config.h])
 AC_OUTPUT
--- a/contrib/README
+++ b/contrib/README
@ -31,9 +31,8 @@ distribution but may be helpful.
  Contributed by Yuri Voinov.
 * unbound.socket and unbound.service: systemd files for unbound, install them
  in /usr/lib/systemd/system.  Contributed by Sami Kerola and Pavel Odintsov.
-* unbound_nochroot.service.in: systemd file for use with chroot: "", see
-  comments in the file, it uses systemd protections instead.  Contributed
-  by Frzk.
+* unbound_portable.service.in: systemd file for use unbound as portable service,
+  see comments in the file. Contributed by Frzk.
 * redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
  instead of SERVFAIL. Contributed by SIDN.
 * fastrpz.patch: fastrpz support from Farsight Security.
--- a/contrib/unbound_nochroot.service.in
+++ b/contrib/unbound_nochroot.service.in
@ -1,97 +0,0 @@
-; This unit file is provided to run unbound without chroot.
-;
-; To use this unit file, please make sure you either compile unbound with the
-; following options:
-;
-;  - --with-pidfile=/run/unbound/unbound.pid
-;  - --with-chroot-dir=""
-;
-; Or put the following options in your unbound configuration file:
-;
-;  - chroot: ""
-;  - pidfile: /run/unbound/unbound.pid
-;
-; Running without the chroot doesn't mean it's less secure. Simply put, we will
-; instead rely on a few systemd directives to harden the service.
-; To quote systemd : it's like a chroot on steroids !
-;
-; The most important parts are :
-;
-;   - `ProtectSystem=strict` implies we mount the entire file system hierarchy
-;     read-only for the processes invoked by the unit except for the API file
-;     system subtrees /dev, /proc and /sys (which are protected by
-;     PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
-;
-;   - `PrivateTmp=yes` secures access to temporary files of the process, and
-;     makes sharing between processes via /tmp or /var/tmp impossible.
-;
-;   - `ProtectHome=yes` makes the directories /home, /root, and /run/user
-;     inaccessible and empty for processes invoked by the unit.
-;
-;   - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
-;     (accessible through /sys/fs/cgroup) read-only to all processes invoked by
-;     the unit. It also implies `MountAPIVFS=yes`.
-;
-;   - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
-;     unit User and Group with read-write permissions (0755) as soon as the
-;     unit starts. This allows unbound to store its pidfile. The directory and
-;     its content are automatically removed by systemd when the unit stops.
-;
-;   - `NoNewPrivileges=yes` ensures that the service process and all its
-;     children can never gain new privileges through execve().
-;
-;   - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
-;     (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
-;
-;   - `RestrictRealTime=yes` ensures that any attempts to enable realtime
-;     scheduling in a process invoked by the unit will be denied.
-;
-;   - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
-;     is prohibited.
-;
-;   - `LockPersonality=yes` locks down the personality system call so that the
-;     kernel execution domain may not be changed from the default.
-;
-;
-; For further details about the directives used in this unit file, including
-; the above, please refer to systemd's official documentation, available at
-; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
-;
-;
-[Unit]
-Description=Validating, recursive, and caching DNS resolver
-Documentation=man:unbound(8)
-After=network.target
-Before=network-online.target nss-lookup.target
-Wants=nss-lookup.target
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
-ExecReload=+/bin/kill -HUP $MAINPID
-ExecStop=+/bin/kill -TERM $MAINPID
-NotifyAccess=main
-Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \
-        CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectHome=true
-ProtectControlGroups=true
-ProtectKernelModules=true
-ProtectSystem=strict
-ConfigurationDirectory=unbound
-RuntimeDirectory=unbound
-BindPaths=/run/systemd/notify
-BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictRealtime=true
-SystemCallArchitectures=native
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
-RestrictNamespaces=yes
-LockPersonality=yes
-RestrictSUIDSGID=yes
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@ -0,0 +1,50 @@
+; This unit file is provided to run unbound as portable service.
+; https://systemd.io/PORTABLE_SERVICES/
+;
+; To use this unit file, please make sure you either compile unbound with the
+; following options:
+;
+;  - --with-pidfile=/run/unbound/unbound.pid
+;  - --with-chroot-dir=""
+;
+; Or put the following options in your unbound configuration file:
+;
+;  - chroot: ""
+;  - pidfile: /run/unbound/unbound.pid
+;
+;
+[Unit]
+Description=Validating, recursive, and caching DNS resolver
+Documentation=man:unbound(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+ExecReload=+/bin/kill -HUP $MAINPID
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+NotifyAccess=main
+Type=notify
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=strict
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+BindPaths=/run/systemd/notify
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout