Merge pull request #151 from Maryse47/systemd_fix

Fixes for systemd units

configure

@@ -21603,7 +21603,7 @@ version=1.9.7
 date=`date +'%b %e, %Y'`
 
 
-ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service"
+ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service"
 
 ac_config_headers="$ac_config_headers config.h"
 
@@ -22609,7 +22609,7 @@ do
     "contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;;
     "contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;;
     "contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;;
-    "contrib/unbound_nochroot.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_nochroot.service" ;;
+    "contrib/unbound_portable.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_portable.service" ;;
     "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;

configure.ac

@@ -2103,6 +2103,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh
 AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO])
 AC_SUBST(date, [`date +'%b %e, %Y'`])
 
-AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service])
+AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service])
 AC_CONFIG_HEADER([config.h])
 AC_OUTPUT

contrib/README

@@ -31,9 +31,8 @@ distribution but may be helpful.
   Contributed by Yuri Voinov.
 * unbound.socket and unbound.service: systemd files for unbound, install them
   in /usr/lib/systemd/system.  Contributed by Sami Kerola and Pavel Odintsov.
-* unbound_nochroot.service.in: systemd file for use with chroot: "", see
-  comments in the file, it uses systemd protections instead.  Contributed
-  by Frzk.
+* unbound_portable.service.in: systemd file for use unbound as portable service,
+  see comments in the file. Contributed by Frzk.
 * redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
   instead of SERVFAIL. Contributed by SIDN.
 * fastrpz.patch: fastrpz support from Farsight Security.

contrib/unbound.service.in

@@ -1,3 +1,44 @@
+; For further details about the directives used in this unit file, including
+; the below, please refer to systemd's official documentation, available at
+; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
+;
+;
+;   - `ProtectSystem=strict` implies we mount the entire file system hierarchy
+;     read-only for the processes invoked by the unit except for the API file
+;     system subtrees /dev, /proc and /sys (which are protected by
+;     PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
+;
+;   - `PrivateTmp=yes` secures access to temporary files of the process, and
+;     makes sharing between processes via /tmp or /var/tmp impossible.
+;
+;   - `ProtectHome=yes` makes the directories /home, /root, and /run/user
+;     inaccessible and empty for processes invoked by the unit.
+;
+;   - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
+;     (accessible through /sys/fs/cgroup) read-only to all processes invoked by
+;     the unit. It also implies `MountAPIVFS=yes`.
+;
+;   - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
+;     unit User and Group with read-write permissions (0755) as soon as the
+;     unit starts. This allows unbound to store its pidfile. The directory and
+;     its content are automatically removed by systemd when the unit stops.
+;
+;   - `NoNewPrivileges=yes` ensures that the service process and all its
+;     children can never gain new privileges through execve().
+;
+;   - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
+;     (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
+;
+;   - `RestrictRealTime=yes` ensures that any attempts to enable realtime
+;     scheduling in a process invoked by the unit will be denied.
+;
+;   - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
+;     is prohibited.
+;
+;   - `LockPersonality=yes` locks down the personality system call so that the
+;     kernel execution domain may not be changed from the default.
+;
+;
 [Unit]
 Description=Validating, recursive, and caching DNS resolver
 Documentation=man:unbound(8)
@@ -10,10 +51,10 @@ WantedBy=multi-user.target
 
 [Service]
 ExecReload=+/bin/kill -HUP $MAINPID
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
@@ -22,12 +63,9 @@ ProtectHome=true
 ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectSystem=strict
-ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
-TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
-TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
-BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
-BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
-BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
+StateDirectory=unbound
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
@@ -35,3 +73,12 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete
 RestrictNamespaces=yes
 LockPersonality=yes
 RestrictSUIDSGID=yes
+ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
+
+# Below rules are needed when chroot is enabled (usually it's enabled by default).
+# If chroot is disabled like chrooot: "" then they may be safely removed.
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
+TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
+BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
+BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
+BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log

contrib/unbound_nochroot.service.in

@@ -1,97 +0,0 @@
-; This unit file is provided to run unbound without chroot.
-;
-; To use this unit file, please make sure you either compile unbound with the
-; following options:
-;
-;  - --with-pidfile=/run/unbound/unbound.pid
-;  - --with-chroot-dir=""
-;
-; Or put the following options in your unbound configuration file:
-;
-;  - chroot: ""
-;  - pidfile: /run/unbound/unbound.pid
-;
-; Running without the chroot doesn't mean it's less secure. Simply put, we will
-; instead rely on a few systemd directives to harden the service.
-; To quote systemd : it's like a chroot on steroids !
-;
-; The most important parts are :
-;
-;   - `ProtectSystem=strict` implies we mount the entire file system hierarchy
-;     read-only for the processes invoked by the unit except for the API file
-;     system subtrees /dev, /proc and /sys (which are protected by
-;     PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
-;
-;   - `PrivateTmp=yes` secures access to temporary files of the process, and
-;     makes sharing between processes via /tmp or /var/tmp impossible.
-;
-;   - `ProtectHome=yes` makes the directories /home, /root, and /run/user
-;     inaccessible and empty for processes invoked by the unit.
-;
-;   - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
-;     (accessible through /sys/fs/cgroup) read-only to all processes invoked by
-;     the unit. It also implies `MountAPIVFS=yes`.
-;
-;   - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
-;     unit User and Group with read-write permissions (0755) as soon as the
-;     unit starts. This allows unbound to store its pidfile. The directory and
-;     its content are automatically removed by systemd when the unit stops.
-;
-;   - `NoNewPrivileges=yes` ensures that the service process and all its
-;     children can never gain new privileges through execve().
-;
-;   - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
-;     (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
-;
-;   - `RestrictRealTime=yes` ensures that any attempts to enable realtime
-;     scheduling in a process invoked by the unit will be denied.
-;
-;   - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
-;     is prohibited.
-;
-;   - `LockPersonality=yes` locks down the personality system call so that the
-;     kernel execution domain may not be changed from the default.
-;
-;
-; For further details about the directives used in this unit file, including
-; the above, please refer to systemd's official documentation, available at
-; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
-;
-;
-[Unit]
-Description=Validating, recursive, and caching DNS resolver
-Documentation=man:unbound(8)
-After=network.target
-Before=network-online.target nss-lookup.target
-Wants=nss-lookup.target
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
-ExecReload=+/bin/kill -HUP $MAINPID
-ExecStop=+/bin/kill -TERM $MAINPID
-NotifyAccess=main
-Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \
-        CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectHome=true
-ProtectControlGroups=true
-ProtectKernelModules=true
-ProtectSystem=strict
-ConfigurationDirectory=unbound
-RuntimeDirectory=unbound
-BindPaths=/run/systemd/notify
-BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-RestrictRealtime=true
-SystemCallArchitectures=native
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
-RestrictNamespaces=yes
-LockPersonality=yes
-RestrictSUIDSGID=yes

contrib/unbound_portable.service.in

@@ -0,0 +1,49 @@
+; This unit file is provided to run unbound as portable service.
+; https://systemd.io/PORTABLE_SERVICES/
+;
+; To use this unit file, please make sure you either compile unbound with the
+; following options:
+;
+;  - --with-chroot-dir=""
+;
+; Or put the following options in your unbound configuration file:
+;
+;  - chroot: ""
+;
+;
+[Unit]
+Description=Validating, recursive, and caching DNS resolver
+Documentation=man:unbound(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+ExecReload=+/bin/kill -HUP $MAINPID
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
+NotifyAccess=main
+Type=notify
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=strict
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
+StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+BindPaths=/run/systemd/notify
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout