Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Improvements and fixes for systemd unbound.service #76
1. Remove `ProtectKernelTunables=true`: This prevents various with socket options from working as shown below. `unbound warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.` 2. Add `CAP_NET_ADMIN` to available caps which is needed for `ip-transparent: yes` config option to work as shown below. `unbound warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted` 3. Make `ReadWritePaths` less permissive: `UNBOUND_SYSCONF_DIR` equals to `sysconfdir` which usually equals to `/etc` and `UNBOUND_LOCALSTATE_DIR` equals to `localstatedir` which usually equals to `/var`. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are `/run` ( for pidfile), `@UNBOUND_RUN_DIR@` (for chroot) and `@UNBOUND_CHROOT_DIR@` in case it differs from the previous one. 4. Bind-mount `/run/systemd/notify`, `UNBOUND_PIDFILE`, `/dev/log`, `/dev/urandom` in order to use them inside chroot. 5. Add few extra hardening options: `RestrictNamespaces`, `LockPersonality` and `RestrictSUIDSGID` should be safe to use.
jedisct1 added a commit to jedisct1/unbound that referenced this pull request
Sep 21, 2019
* nlnet/master: (22 commits) Changelog entry for NLnetLabs#83 - Merge NLnetLabs#83 from Maryse47: contrib/unbound.service.in: do not fork into the background. unbound.service.in: do not fork into the background Changelog entry for NLnetLabs#81. - Merge NLnetLabs#81 from Maryse47: Consistently use /dev/urandom instead of /dev/random in scripts and docs. (Changelog entry for NLnetLabs#82). - Merge NLnetLabs#82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service. Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service Consistently use /dev/urandom instead of /dev/random in scripts and docs - Merge NLnetLabs#80 from stasic: Improve wording in man page. (Changelog entry for merge) Improve wording in man page - Fix wrong response ttl for prepended short CNAME ttls, this would create a wrong zero_ttl response count with serve-expired enabled. - Fix for oss-fuzz build warning. - Fix fix for NLnetLabs#78 to also free service callback struct. - oss-fuzz badge on README.md. - Merge pull request NLnetLabs#76 from Maryse47: Improvements and fixes for systemd unbound.service. (Changelog note for merge of NLnetLabs#76). - Fix NLnetLabs#78: Memory leak in outside_network.c. Improvements and fixes for systemd unbound.service - Use explicit bzero for wiping clear buffer of hash in cachedb, reported by Eric Sesterhenn from X41 D-Sec. - Fix NLnetLabs#72: configure --with-syslog-facility=LOCAL0-7 with default LOG_DAEMON (as before) can set the syslog facility that the server uses to log messages. - Fix NLnetLabs#71: fix openssl error squelch commit compilation error. - squelch DNS over TLS errors 'ssl handshake failed crypto error' on low verbosity, they show on verbosity 3 (query details), because there is a high volume and the operator cannot do anything for the remote failure. Specifically filters the high volume errors. - updated Makefile dependencies. ...
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments.