contrib/unbound/contrib/unbound.service.in

   1 [Unit]
   2 Description=Validating, recursive, and caching DNS resolver
   3 Documentation=man:unbound(8)
   4 After=network.target
   5 Before=network-online.target nss-lookup.target
   6 Wants=nss-lookup.target
   7
   8 [Install]
   9 WantedBy=multi-user.target
  10
  11 [Service]
  12 ExecReload=+/bin/kill -HUP $MAINPID
  13 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
  14 NotifyAccess=main
  15 Type=notify
  16 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
  17 MemoryDenyWriteExecute=true
  18 NoNewPrivileges=true
  19 PrivateDevices=true
  20 PrivateTmp=true
  21 ProtectHome=true
  22 ProtectControlGroups=true
  23 ProtectKernelModules=true
  24 ProtectSystem=strict
  25 ReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
  26 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
  27 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
  28 BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
  29 BindPaths=-@UNBOUND_PIDFILE@:@UNBOUND_CHROOT_DIR@@UNBOUND_PIDFILE@
  30 BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
  31 BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log
  32 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
  33 RestrictRealtime=true
  34 SystemCallArchitectures=native
  35 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
  36 RestrictNamespaces=yes
  37 LockPersonality=yes
  38 RestrictSUIDSGID=yes