1 ; For further details about the directives used in this unit file, including
2 ; the below, please refer to systemd's official documentation, available at
3 ; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
6 ; - `ProtectSystem=strict` implies we mount the entire file system hierarchy
7 ; read-only for the processes invoked by the unit except for the API file
8 ; system subtrees /dev, /proc and /sys (which are protected by
9 ; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
11 ; - `PrivateTmp=yes` secures access to temporary files of the process, and
12 ; makes sharing between processes via /tmp or /var/tmp impossible.
14 ; - `ProtectHome=yes` makes the directories /home, /root, and /run/user
15 ; inaccessible and empty for processes invoked by the unit.
17 ; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
18 ; (accessible through /sys/fs/cgroup) read-only to all processes invoked by
19 ; the unit. It also implies `MountAPIVFS=yes`.
21 ; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
22 ; unit User and Group with read-write permissions (0755) as soon as the
23 ; unit starts. This allows unbound to store its pidfile. The directory and
24 ; its content are automatically removed by systemd when the unit stops.
26 ; - `NoNewPrivileges=yes` ensures that the service process and all its
27 ; children can never gain new privileges through execve().
29 ; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
30 ; (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
32 ; - `RestrictRealTime=yes` ensures that any attempts to enable realtime
33 ; scheduling in a process invoked by the unit will be denied.
35 ; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
38 ; - `LockPersonality=yes` locks down the personality system call so that the
39 ; kernel execution domain may not be changed from the default.
43 Description=Validating, recursive, and caching DNS resolver
44 Documentation=man:unbound(8)
46 Before=network-online.target nss-lookup.target
47 Wants=nss-lookup.target
50 WantedBy=multi-user.target
53 ExecReload=+/bin/kill -HUP $MAINPID
54 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
57 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
58 MemoryDenyWriteExecute=true
63 ProtectControlGroups=true
64 ProtectKernelModules=true
66 RuntimeDirectory=unbound
67 ConfigurationDirectory=unbound
68 StateDirectory=unbound
69 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
71 SystemCallArchitectures=native
72 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
73 RestrictNamespaces=yes
76 ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
78 # Below rules are needed when chroot is enabled (usually it's enabled by default).
79 # If chroot is disabled like chroot: "" then they may be safely removed.
80 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
81 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
82 BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
83 BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
84 BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log