From 1464bedce25f270508a3c9d921448afedc9ec9a2 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Fri, 24 Jan 2020 13:41:06 +0100 Subject: [PATCH 1/6] unbound.service.in: add RuntimeDirectory and ConfigurationDirectory Adding 'RuntimeDirectory' is needed when pidfile path is set to subdirectory under /run. Adding ConfigurationDirectory may help in some non-standard setups. Also add more descriptions about used rules to avoid user confusion about they meaning and purpose. --- contrib/unbound.service.in | 63 ++++++++++++++++++++++++++++++++++---- 1 file changed, 57 insertions(+), 6 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index 13ca4b294..d0e294213 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -1,3 +1,44 @@ +; For further details about the directives used in this unit file, including +; the below, please refer to systemd's official documentation, available at +; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. +; +; +; - `ProtectSystem=strict` implies we mount the entire file system hierarchy +; read-only for the processes invoked by the unit except for the API file +; system subtrees /dev, /proc and /sys (which are protected by +; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +; +; - `PrivateTmp=yes` secures access to temporary files of the process, and +; makes sharing between processes via /tmp or /var/tmp impossible. +; +; - `ProtectHome=yes` makes the directories /home, /root, and /run/user +; inaccessible and empty for processes invoked by the unit. +; +; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies +; (accessible through /sys/fs/cgroup) read-only to all processes invoked by +; the unit. It also implies `MountAPIVFS=yes`. +; +; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the +; unit User and Group with read-write permissions (0755) as soon as the +; unit starts. This allows unbound to store its pidfile. The directory and +; its content are automatically removed by systemd when the unit stops. +; +; - `NoNewPrivileges=yes` ensures that the service process and all its +; children can never gain new privileges through execve(). +; +; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID +; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. +; +; - `RestrictRealTime=yes` ensures that any attempts to enable realtime +; scheduling in a process invoked by the unit will be denied. +; +; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing +; is prohibited. +; +; - `LockPersonality=yes` locks down the personality system call so that the +; kernel execution domain may not be changed from the default. +; +; [Unit] Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) @@ -22,12 +63,8 @@ ProtectHome=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=strict -ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro -TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro -BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify -BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom -BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log +RuntimeDirectory=unbound +ConfigurationDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native @@ -35,3 +72,17 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes +ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ + +# Below is needed when pidfile is stored directly under /run like /run/unbound.pid. +# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead +# then it may be safely removed. +ReadWritePaths=/run + +# Below rules are needed when chroot is enabled (usually it's enabled by default). +# If chroot is disabled like chrooot: "" then they may be safely removed. +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro +TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro +BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify +BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom +BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log From 72bfa5a48c309443a5eb62f8cfc2cd1219eb1401 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Sat, 25 Jan 2020 00:48:25 +0100 Subject: [PATCH 2/6] Move unbound_nochroot.service to unbound_portable.service The real purpose of this service is to make it work with https://systemd.io/PORTABLE_SERVICES/ which are incompatible with chroot workarounds from original unbound.service. The service content is identical to unbound.service with exception for chroot related rules which were modified as needed. --- configure | 4 +- configure.ac | 2 +- contrib/README | 5 +- contrib/unbound_nochroot.service.in | 97 ----------------------------- contrib/unbound_portable.service.in | 50 +++++++++++++++ 5 files changed, 55 insertions(+), 103 deletions(-) delete mode 100644 contrib/unbound_nochroot.service.in create mode 100644 contrib/unbound_portable.service.in diff --git a/configure b/configure index d5f8d8cee..cc9ac46e8 100755 --- a/configure +++ b/configure @@ -21441,7 +21441,7 @@ version=1.9.7 date=`date +'%b %e, %Y'` -ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service" +ac_config_files="$ac_config_files Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service" ac_config_headers="$ac_config_headers config.h" @@ -22447,7 +22447,7 @@ do "contrib/libunbound.pc") CONFIG_FILES="$CONFIG_FILES contrib/libunbound.pc" ;; "contrib/unbound.socket") CONFIG_FILES="$CONFIG_FILES contrib/unbound.socket" ;; "contrib/unbound.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound.service" ;; - "contrib/unbound_nochroot.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_nochroot.service" ;; + "contrib/unbound_portable.service") CONFIG_FILES="$CONFIG_FILES contrib/unbound_portable.service" ;; "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index a356dcf7d..47a86c560 100644 --- a/configure.ac +++ b/configure.ac @@ -2056,6 +2056,6 @@ dnl if this is a distro tarball, that was already done by makedist.sh AC_SUBST(version, [VERSION_MAJOR.VERSION_MINOR.VERSION_MICRO]) AC_SUBST(date, [`date +'%b %e, %Y'`]) -AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_nochroot.service]) +AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8 doc/unbound-host.1 smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service contrib/unbound_portable.service]) AC_CONFIG_HEADER([config.h]) AC_OUTPUT diff --git a/contrib/README b/contrib/README index 1dce78c09..d8afceabd 100644 --- a/contrib/README +++ b/contrib/README @@ -31,9 +31,8 @@ distribution but may be helpful. Contributed by Yuri Voinov. * unbound.socket and unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov. -* unbound_nochroot.service.in: systemd file for use with chroot: "", see - comments in the file, it uses systemd protections instead. Contributed - by Frzk. +* unbound_portable.service.in: systemd file for use unbound as portable service, + see comments in the file. Contributed by Frzk. * redirect-bogus.patch: Return configured address for bogus A and AAAA answers, instead of SERVFAIL. Contributed by SIDN. * fastrpz.patch: fastrpz support from Farsight Security. diff --git a/contrib/unbound_nochroot.service.in b/contrib/unbound_nochroot.service.in deleted file mode 100644 index 301062e38..000000000 --- a/contrib/unbound_nochroot.service.in +++ /dev/null @@ -1,97 +0,0 @@ -; This unit file is provided to run unbound without chroot. -; -; To use this unit file, please make sure you either compile unbound with the -; following options: -; -; - --with-pidfile=/run/unbound/unbound.pid -; - --with-chroot-dir="" -; -; Or put the following options in your unbound configuration file: -; -; - chroot: "" -; - pidfile: /run/unbound/unbound.pid -; -; Running without the chroot doesn't mean it's less secure. Simply put, we will -; instead rely on a few systemd directives to harden the service. -; To quote systemd : it's like a chroot on steroids ! -; -; The most important parts are : -; -; - `ProtectSystem=strict` implies we mount the entire file system hierarchy -; read-only for the processes invoked by the unit except for the API file -; system subtrees /dev, /proc and /sys (which are protected by -; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). -; -; - `PrivateTmp=yes` secures access to temporary files of the process, and -; makes sharing between processes via /tmp or /var/tmp impossible. -; -; - `ProtectHome=yes` makes the directories /home, /root, and /run/user -; inaccessible and empty for processes invoked by the unit. -; -; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies -; (accessible through /sys/fs/cgroup) read-only to all processes invoked by -; the unit. It also implies `MountAPIVFS=yes`. -; -; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the -; unit User and Group with read-write permissions (0755) as soon as the -; unit starts. This allows unbound to store its pidfile. The directory and -; its content are automatically removed by systemd when the unit stops. -; -; - `NoNewPrivileges=yes` ensures that the service process and all its -; children can never gain new privileges through execve(). -; -; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID -; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. -; -; - `RestrictRealTime=yes` ensures that any attempts to enable realtime -; scheduling in a process invoked by the unit will be denied. -; -; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing -; is prohibited. -; -; - `LockPersonality=yes` locks down the personality system call so that the -; kernel execution domain may not be changed from the default. -; -; -; For further details about the directives used in this unit file, including -; the above, please refer to systemd's official documentation, available at -; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. -; -; -[Unit] -Description=Validating, recursive, and caching DNS resolver -Documentation=man:unbound(8) -After=network.target -Before=network-online.target nss-lookup.target -Wants=nss-lookup.target - -[Install] -WantedBy=multi-user.target - -[Service] -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -ExecReload=+/bin/kill -HUP $MAINPID -ExecStop=+/bin/kill -TERM $MAINPID -NotifyAccess=main -Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID \ - CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW -MemoryDenyWriteExecute=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -ProtectHome=true -ProtectControlGroups=true -ProtectKernelModules=true -ProtectSystem=strict -ConfigurationDirectory=unbound -RuntimeDirectory=unbound -BindPaths=/run/systemd/notify -BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources -RestrictNamespaces=yes -LockPersonality=yes -RestrictSUIDSGID=yes diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in new file mode 100644 index 000000000..53dc8701b --- /dev/null +++ b/contrib/unbound_portable.service.in @@ -0,0 +1,50 @@ +; This unit file is provided to run unbound as portable service. +; https://systemd.io/PORTABLE_SERVICES/ +; +; To use this unit file, please make sure you either compile unbound with the +; following options: +; +; - --with-pidfile=/run/unbound/unbound.pid +; - --with-chroot-dir="" +; +; Or put the following options in your unbound configuration file: +; +; - chroot: "" +; - pidfile: /run/unbound/unbound.pid +; +; +[Unit] +Description=Validating, recursive, and caching DNS resolver +Documentation=man:unbound(8) +After=network.target +Before=network-online.target nss-lookup.target +Wants=nss-lookup.target + +[Install] +WantedBy=multi-user.target + +[Service] +ExecReload=+/bin/kill -HUP $MAINPID +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +NotifyAccess=main +Type=notify +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectSystem=strict +RuntimeDirectory=unbound +ConfigurationDirectory=unbound +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources +RestrictNamespaces=yes +LockPersonality=yes +RestrictSUIDSGID=yes +BindPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout From cfce0a5e60cbe4c11a52b6b084265dae437b05ec Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Mon, 27 Jan 2020 13:46:31 +0100 Subject: [PATCH 3/6] unbound.service.in: add StateDirectory State directory will be created under /var/lib/unbound and will be useful for writing various files managed at runtime like trust anchors updates there instead of in ConfigureDirectory which could be made read-only next. For this chroot needs to be disabled. --- contrib/unbound.service.in | 1 + contrib/unbound_portable.service.in | 1 + 2 files changed, 2 insertions(+) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index d0e294213..b1211a4be 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -65,6 +65,7 @@ ProtectKernelModules=true ProtectSystem=strict RuntimeDirectory=unbound ConfigurationDirectory=unbound +StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index 53dc8701b..cbfc58f99 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -39,6 +39,7 @@ ProtectKernelModules=true ProtectSystem=strict RuntimeDirectory=unbound ConfigurationDirectory=unbound +StateDirectory=unbound RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictRealtime=true SystemCallArchitectures=native From c0789a878556b482e53a52228fae30765f2d06b2 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Mon, 27 Jan 2020 18:31:10 +0100 Subject: [PATCH 4/6] unbound.service.in: allow CAP_CHOWN CAP_CHOWN is needed for changing onwership of pidfile before dropping privileges and truncate pidfile on exit. --- contrib/unbound.service.in | 2 +- contrib/unbound_portable.service.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index b1211a4be..e3361db59 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -54,7 +54,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index cbfc58f99..9e830cd21 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -28,7 +28,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true From 939cf38576727ac2f52d3aacae4b446caad039e5 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Tue, 28 Jan 2020 18:42:41 +0100 Subject: [PATCH 5/6] unbound.service.in: drop CAP_IPC_LOCK CAP_IPC_LOCK controls whether a process can lock pages into physical memory (for instance to prevent passwords or private keys from being swapped to disk), e.g. mmap() with the MAP_LOCKED flag or shmctl() with the SHM_LOCK command, neither of which seem to be used by unbound. --- contrib/unbound.service.in | 2 +- contrib/unbound_portable.service.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index e3361db59..ec6b3ba28 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -54,7 +54,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index 9e830cd21..a77df49fa 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -28,7 +28,7 @@ ExecReload=+/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true From 9aa4b5a7a61f3fc03d49e904cca6d31523e8b073 Mon Sep 17 00:00:00 2001 From: Maryse47 <41080948+Maryse47@users.noreply.github.com> Date: Tue, 28 Jan 2020 18:47:21 +0100 Subject: [PATCH 6/6] unbound.service.in: don't write pidfile at start Pidfiles aren't needed while running unbound through systemd. The PID of the unbound daemon can still be obtained with: 'systemctl show --property MainPID --value unbound'. While disabling pidfiles we can also drop CAP_CHOWN and writable /run directory. --- contrib/unbound.service.in | 9 ++------- contrib/unbound_portable.service.in | 6 ++---- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index ec6b3ba28..8c51bcbbe 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -51,10 +51,10 @@ WantedBy=multi-user.target [Service] ExecReload=+/bin/kill -HUP $MAINPID -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true @@ -75,11 +75,6 @@ LockPersonality=yes RestrictSUIDSGID=yes ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ -# Below is needed when pidfile is stored directly under /run like /run/unbound.pid. -# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead -# then it may be safely removed. -ReadWritePaths=/run - # Below rules are needed when chroot is enabled (usually it's enabled by default). # If chroot is disabled like chrooot: "" then they may be safely removed. TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in index a77df49fa..998b66dec 100644 --- a/contrib/unbound_portable.service.in +++ b/contrib/unbound_portable.service.in @@ -4,13 +4,11 @@ ; To use this unit file, please make sure you either compile unbound with the ; following options: ; -; - --with-pidfile=/run/unbound/unbound.pid ; - --with-chroot-dir="" ; ; Or put the following options in your unbound configuration file: ; ; - chroot: "" -; - pidfile: /run/unbound/unbound.pid ; ; [Unit] @@ -25,10 +23,10 @@ WantedBy=multi-user.target [Service] ExecReload=+/bin/kill -HUP $MAINPID -ExecStart=@UNBOUND_SBIN_DIR@/unbound -d +ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true