Bug 1229 - Systemd service sandboxing
Systemd service sandboxing
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
x86_64 Linux
: P5 trivial
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-06 02:34 CET by unbound
Modified: 2017-03-22 08:22 CET (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description unbound 2017-03-06 02:34:34 CET
Several features are now available in systemd to isolate systemd services. I came across this on the Arch Linux wiki (https://wiki.archlinux.org/index.php/Unbound#Sandboxing) which suggests the following can be added to the service:

[Unit]
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/etc/unbound /run
RestrictAddressFamilies=AF_INET AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources

An downstream bug was filed with Arch Linux to provide an edited unit, since they provide the service file, but it was referred to the upstream project (https://bugs.archlinux.org/task/52700).
Comment 1 Wouter Wijngaards 2017-03-06 16:27:53 CET
Hi Wbarnett,

Thank you for the patch, I have appended these lines to the unbound.service file.

Best regards, Wouter
Comment 2 keznlbgw 2017-03-21 17:30:29 CET
Unfortunately options were added to wrong systemd service sections. See manuals for valid options for each section:

https://www.freedesktop.org/software/systemd/man/systemd.service.html
https://www.freedesktop.org/software/systemd/man/systemd.unit.html
https://www.freedesktop.org/software/systemd/man/systemd.exec.html

I created pull request on github which fixes this that you can mirror in actual code.
Comment 4 Wouter Wijngaards 2017-03-22 08:22:49 CET
Hi,

Thanks!  Committed the patch.

Best regards, Wouter