- Fix #1229: Systemd service sandboxing in contrib/unbound.service.

git-svn-id: file:///svn/unbound/trunk@4032 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-31 11:59:36 -05:00 · 2017-03-06 15:27:36 +00:00 · 2017-03-06 15:27:36 +00:00 · 7e6e9a0155
commit 7e6e9a0155
parent 6137f1b0b2
2 changed files with 21 additions and 0 deletions
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@ -6,3 +6,21 @@ ExecReload=/bin/kill -HUP $MAINPID

 [Install]
 WantedBy=multi-user.target
+
+[Unit]
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/unbound /run
+RestrictAddressFamilies=AF_INET AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+6 March 2017: Wouter
+	- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
+
 28 February 2017: Ralph
 	- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
 	  record.