From 7e6e9a01552ab919ef7bad11e6a37ce9b69f6c8e Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Mon, 6 Mar 2017 15:27:36 +0000 Subject: [PATCH] - Fix #1229: Systemd service sandboxing in contrib/unbound.service. git-svn-id: file:///svn/unbound/trunk@4032 be551aaa-1e26-0410-a405-d3ace91eadb9 --- contrib/unbound.service.in | 18 ++++++++++++++++++ doc/Changelog | 3 +++ 2 files changed, 21 insertions(+) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index b33c3706d..e5b716c61 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -6,3 +6,21 @@ ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target + +[Unit] +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadWritePaths=/etc/unbound /run +RestrictAddressFamilies=AF_INET AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources + diff --git a/doc/Changelog b/doc/Changelog index 3c1801c29..87a0cc528 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +6 March 2017: Wouter + - Fix #1229: Systemd service sandboxing in contrib/unbound.service. + 28 February 2017: Ralph - Fix testpkts.c, check if DO bit is set, not only if there is an OPT record.