unbound service: some pre-chroot isolation

While entering the chroot should provide the same amount of isolation,
the preStart script will run with full root privileges and so would
benefit from some isolation as well (in particular due to
unbound-anchor, which can perform network I/O).
This commit is contained in:
Joachim Fasting 2016-09-01 18:53:06 +02:00
parent 39f5182a30
commit 5dc60051fa
No known key found for this signature in database
GPG Key ID: 7544761007FE4E08

View File

@ -122,6 +122,10 @@ in
serviceConfig = {
ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf";
ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random";
ProtectSystem = true;
ProtectHome = true;
PrivateDevices = true;
};
};