From c2ef5743a286783242c634b9190444b212a6d743 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Wed, 26 Jun 2024 12:12:54 -0700
Subject: [PATCH] Improve unbound systemd hardening

Signed-off-by: Tommy <contact@tommytran.io>
---
 etc/systemd/system/unbound.service.d/override-chroot.conf | 5 +++--
 etc/systemd/system/unbound.service.d/override.conf        | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/etc/systemd/system/unbound.service.d/override-chroot.conf b/etc/systemd/system/unbound.service.d/override-chroot.conf
index 7726bf4..2c50696 100644
--- a/etc/systemd/system/unbound.service.d/override-chroot.conf
+++ b/etc/systemd/system/unbound.service.d/override-chroot.conf
@@ -10,9 +10,10 @@ ProtectControlGroups=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 # This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility.
-ProtectKernelTunables=false
+ProtectKernelTunables=true
 ProtectProc=invisible
-#ProtectSystem=strict
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
 #RuntimeDirectory=unbound
 #ConfigurationDirectory=unbound
 #StateDirectory=unbound
diff --git a/etc/systemd/system/unbound.service.d/override.conf b/etc/systemd/system/unbound.service.d/override.conf
index 2d92d56..3ac7132 100644
--- a/etc/systemd/system/unbound.service.d/override.conf
+++ b/etc/systemd/system/unbound.service.d/override.conf
@@ -12,7 +12,8 @@ ProtectKernelModules=true
 # This breaks using socket options like 'so-rcvbuf'.
 ProtectKernelTunables=true
 ProtectProc=invisible
-#ProtectSystem=strict
+# ProtectSystem with strict does not work - need further testing.
+ProtectSystem=full
 #RuntimeDirectory=unbound
 #ConfigurationDirectory=unbound
 #StateDirectory=unbound