1 files changed, 49 insertions, 0 deletions

diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in
new file mode 100644
index 000000000000..998b66dec999
--- /dev/null
+++ b/contrib/unbound_portable.service.in
@@ -0,0 +1,49 @@
+; This unit file is provided to run unbound as portable service.
+; https://systemd.io/PORTABLE_SERVICES/
+;
+; To use this unit file, please make sure you either compile unbound with the
+; following options:
+;
+;  - --with-chroot-dir=""
+;
+; Or put the following options in your unbound configuration file:
+;
+;  - chroot: ""
+;
+;
+[Unit]
+Description=Validating, recursive, and caching DNS resolver
+Documentation=man:unbound(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+ExecReload=+/bin/kill -HUP $MAINPID
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
+NotifyAccess=main
+Type=notify
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=strict
+RuntimeDirectory=unbound
+ConfigurationDirectory=unbound
+StateDirectory=unbound
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictSUIDSGID=yes
+BindPaths=/run/systemd/notify
+BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout