mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-11-08 19:21:33 -05:00
35 lines
1.3 KiB
Plaintext
35 lines
1.3 KiB
Plaintext
[Service]
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
|
|
MemoryDenyWriteExecute=true
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
PrivateTmp=true
|
|
ProtectHome=true
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
# This breaks using socket options like 'so-rcvbuf'.
|
|
ProtectKernelTunables=true
|
|
ProtectProc=invisible
|
|
# ProtectSystem with strict does not work - need further testing.
|
|
ProtectSystem=full
|
|
#RuntimeDirectory=unbound
|
|
#ConfigurationDirectory=unbound
|
|
#StateDirectory=unbound
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
RestrictRealtime=true
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
|
|
RestrictNamespaces=yes
|
|
LockPersonality=yes
|
|
RestrictSUIDSGID=yes
|
|
ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
|
|
|
|
# Below rules are needed when chroot is enabled (usually it's enabled by default).
|
|
# If chroot is disabled like chroot: "" then they may be safely removed.
|
|
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
|
|
TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro
|
|
BindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify
|
|
BindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom
|
|
BindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log |