contrib/unbound{,_portable}.service.in:
With the changes introduced in f6a527c25a
it is now necessary to also allow access to the AF_NETLINK socket
address family to be able to get information from interfaces.
Without the AF_NETLINK address family the systemd service errors with:
```
error: failed to list interfaces: getifaddrs: Address family not
supported by protocol
```
Fixes#350
This commit updates contrib/libunbound.pc.in to remove the "Requires:"
directive and move its contents to "Requires.private:".
The pkg-config manpage documents the Requires/Libs fields as follows:
Requires:
This is a comma-separated list of packages that are required by
your package. Flags from dependent packages will be merged in to
the flags reported for your package. Optionally, you can specify
the version of the required package (using the operators =, <,
>, >=, <=); specifying a version allows pkg-config to perform
extra sanity checks. You may only mention the same package one
time on the Requires: line. If the version of a package is un‐
specified, any version will be used with no checking.
Requires.private:
A list of packages required by this package. The difference from
Requires is that the packages listed under Requires.private are
not taken into account when a flag list is computed for dynami‐
cally linked executable (i.e., when --static was not specified).
In the situation where each .pc file corresponds to a library,
Requires.private shall be used exclusively to specify the depen‐
dencies between the libraries.
Libs: This line should give the link flags specific to your package.
Don't add any flags for required packages; pkg-config will add
those automatically.
Libs.private:
This line should list any private libraries in use. Private li‐
braries are libraries which are not exposed through your li‐
brary, but are needed in the case of static linking. This dif‐
fers from Requires.private in that it references libraries that
do not have package files installed.
In other words:
1) "Requires:" should specify the name of .pc packages that are required
to be installed to compile and dynamically link against libunbound. This
corresponds to needing the -dev (or -devel) package containing the .pc
file to be installed on the system. Since libunbound's header files
actually do not have any includes on any other library's headers, the
"Requires:" directive should be empty.
2) "Requires.private:" specifies the name of .pc packages that
correspond to libraries that are required to be installed to statically
link against libunbound. E.g., if libunbound.a has undefined symbols
event_* that are in libevent.a, statically linking against libunbound.a
requires statically linking libevent.a, and because libevent has a .pc
file, this means "libevent" should appear in libunbound.pc's
"Requires.private:" directive.
3) "Libs:" specifies the link flags needed to link against libunbound,
only, not including any dependencies.
4) "Libs.private:" specifies the link flags needed to statically link
against libraries that libunbound depends on that do not have .pc files.
I think it's possible for unbound's build system to actually declare
link flags under "Libs.private:" for some libraries that do have .pc
files (e.g. libcrypto/-lcrypto, libssl/-lssl, for OpenSSL) but in
practice this appears to be harmless.
Given #1 above that libunbound does not have any header dependencies
against any other packages it does not appear that "Requires:" is needed
at all. See https://bugs.debian.org/958331 for an example of a bug
report that this causes. We should not need to install the nettle-dev
package only for building binaries that compile against the libunbound
headers and link against the libunbound library.
Pidfiles aren't needed while running unbound through systemd.
The PID of the unbound daemon can still be obtained with:
'systemctl show --property MainPID --value unbound'.
While disabling pidfiles we can also drop CAP_CHOWN and writable
/run directory.
CAP_IPC_LOCK controls whether a process can lock pages into physical
memory (for instance to prevent passwords or private keys from
being swapped to disk), e.g. mmap() with the MAP_LOCKED flag or
shmctl() with the SHM_LOCK command, neither of which seem to be
used by unbound.
State directory will be created under /var/lib/unbound and will be
useful for writing various files managed at runtime like trust
anchors updates there instead of in ConfigureDirectory which could
be made read-only next. For this chroot needs to be disabled.
The real purpose of this service is to make it work with
https://systemd.io/PORTABLE_SERVICES/ which are incompatible with
chroot workarounds from original unbound.service.
The service content is identical to unbound.service with exception
for chroot related rules which were modified as needed.
Adding 'RuntimeDirectory' is needed when pidfile path is set to
subdirectory under /run.
Adding ConfigurationDirectory may help in some non-standard setups.
Also add more descriptions about used rules to avoid user confusion
about they meaning and purpose.
This commit removes the hardcoded dependency in the libunbound
pkg-config .pc file on the libcrypto and libssl modules and instead
populates the .pc file based on which crypto library was selected at
configure time.
Note that the .pc file specifies pkg-config module names for the
"Requires" line and this can vary from the library filename (e.g. "nss"
is the pkg-config module name vs. "nss3" being the library name).
According to the pkg-config manpage, the "Libs" line in a .pc file
should give the link flags "specific to your package", and specifically
says not to include link flags for dependencies:
Libs: This line should give the link flags specific to your
package. Don't add any flags for required packages;
pkg-config will add those automatically.
Add a new configure option `--with-libbsd', which allows to use libbsd's
portable implementations of:
strlcpy strlcat arc4random arc4random_uniform reallocarray
instead of the embedded code copies in contrib/, which will be
difficult to maintain in the long term.
Also patch util/random.c so that, when building with libbsd and without
OpenSSL, arc4random can still be used as the PRNG. Otherwise, building
with libnettle would need a kernel-specific getentropy implementation,
and libbsd does not export one.
[edmonds@debian.org: Imported patch description from BTS, refreshed
patch against Unbound 1.9.6.]
- Merge PR#150 from Frzk: Systemd unit without chroot. It add
contrib/unbound_nochroot.service.in, a systemd file for use with
chroot: "", see comments in the file, it uses systemd protections
instead.
replacements for unbound-fuzzme.c that gets created after applying
the contrib/unbound-fuzzme.patch. They are contributed by
Eric Sesterhenn from X41 D-Sec.
queries, to stop random floods. Apply with
patch -p1 < contrib/drop-tld.diff and compile.
From Saksham Manchanda (Secure64). Please note that we think this
will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
lookups for downstream clients.
CAP_KILL seems a bit too much privileges for the sole purpose of being able to make ExecReload= work.
Use the + prefix on ExecReload= instead to run "/bin/kill -HUP $MAINPID" with full privileges, ignoring the restrictions from CapabilityBoundingSet=.
See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for further details about the + prefix in ExecReload=.
The ExecReload command calls kills on a process owned by the unbound user (or whatever user is configured). To do so, it needs the CAP_KILL capability.
This is needed when unbound config doesn't set "do-daemonize: no" by itself otherwise starting service fails with:
systemd[1]: unbound.service: Got notification message from PID <PID>, but reception only permitted for main PID which is currently not known
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/doc/example.conf.in#L236
Since kernel 3.2, CAP_NET_RAW instead of CAP_NET_ADMIN is sufficient to allow for the usage of the IP_TRANSPARENT socket option. CAP_NET_ADMIN allows far more mayhem then CAP_NET_RAW, so prefer the safer, more restrictive solution.
