Bug 1229

Summary: Systemd service sandboxing
Product: unbound Reporter: unbound
Component: serverAssignee: unbound team <unbound-team>
Status: RESOLVED FIXED    
Severity: trivial CC: cathya, keznlbgw, wouter
Priority: P5    
Version: unspecified   
Hardware: x86_64   
OS: Linux   

Description unbound 2017-03-06 02:34:34 CET
Several features are now available in systemd to isolate systemd services. I came across this on the Arch Linux wiki (https://wiki.archlinux.org/index.php/Unbound#Sandboxing) which suggests the following can be added to the service:

[Unit]
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/etc/unbound /run
RestrictAddressFamilies=AF_INET AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources

An downstream bug was filed with Arch Linux to provide an edited unit, since they provide the service file, but it was referred to the upstream project (https://bugs.archlinux.org/task/52700).
Comment 1 Wouter Wijngaards 2017-03-06 16:27:53 CET
Hi Wbarnett,

Thank you for the patch, I have appended these lines to the unbound.service file.

Best regards, Wouter
Comment 2 keznlbgw 2017-03-21 17:30:29 CET
Unfortunately options were added to wrong systemd service sections. See manuals for valid options for each section:

https://www.freedesktop.org/software/systemd/man/systemd.service.html
https://www.freedesktop.org/software/systemd/man/systemd.unit.html
https://www.freedesktop.org/software/systemd/man/systemd.exec.html

I created pull request on github which fixes this that you can mirror in actual code.
Comment 4 Wouter Wijngaards 2017-03-22 08:22:49 CET
Hi,

Thanks!  Committed the patch.

Best regards, Wouter