systemd-stable/units/systemd-resolved.service.in

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Network Name Resolution
Documentation=man:systemd-resolved.service(8)
Documentation=man:org.freedesktop.resolve1(5)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

DefaultDependencies=no
After=systemd-sysusers.service systemd-networkd.service
Before=network.target nss-lookup.target shutdown.target
Conflicts=shutdown.target
Wants=nss-lookup.target

[Service]
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
BusName=org.freedesktop.resolve1
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/resolve
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify
User=systemd-resolve
{{SERVICE_WATCHDOG}}

[Install]
WantedBy=basic.target
Alias=dbus-org.freedesktop.resolve1.service
license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
Add SPDX license headers to unit files 2017-11-18 17:35:03 +01:00			`#`
networkd: add missing files 2014-05-16 20:14:23 +02:00			`# This file is part of systemd.`
			`#`
			`# systemd is free software; you can redistribute it and/or modify it`
			`# under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation; either version 2.1 of the License, or`
			`# (at your option) any later version.`

resolved: add daemon to manage resolv.conf Also remove the equivalent functionality from networkd. 2014-05-18 22:10:48 +02:00			`[Unit]`
			`Description=Network Name Resolution`
			`Documentation=man:systemd-resolved.service(8)`
man,units: link to the new dbus-api man pages 2020-09-29 08:03:10 +02:00			`Documentation=man:org.freedesktop.resolve1(5)`
units: use https for the freedesktop url (#6227) 2017-06-29 04:54:12 +02:00			`Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers`
			`Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients`
man,units: link to the new dbus-api man pages 2020-09-29 08:03:10 +02:00
resolved.service: set DefaultDependencies=no On systems that only use resolved for name resolution, there are usecases that require resolved to be started before sysinit target, such that network name resolution is available before network-online/sysinit targets. For example, cloud-init for some datasources hooks into the boot process ahead of sysinit target and may need network name resolution at that point already. systemd-resolved already starts pretty early in the process, thus starting it slightly earlier should not have negative side effects. However, this depends on resolved ability to connect to system DBus once that is up. 2017-12-11 18:27:49 +00:00			`DefaultDependencies=no`
Revert "resolve: enable DynamicUser= for systemd-resolved.service" This reverts commit 0187368cadea183e18c6d575a9d6b7f491a402af. (systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.) 2018-09-19 10:04:33 +02:00			`After=systemd-sysusers.service systemd-networkd.service`
resolved.service: set DefaultDependencies=no On systems that only use resolved for name resolution, there are usecases that require resolved to be started before sysinit target, such that network name resolution is available before network-online/sysinit targets. For example, cloud-init for some datasources hooks into the boot process ahead of sysinit target and may need network name resolution at that point already. systemd-resolved already starts pretty early in the process, thus starting it slightly earlier should not have negative side effects. However, this depends on resolved ability to connect to system DBus once that is up. 2017-12-11 18:27:49 +00:00			`Before=network.target nss-lookup.target shutdown.target`
			`Conflicts=shutdown.target`
units: systemd-resolved should start before network-online.target and nss-lookup.target (#5691) systemd-resolved provides 1. local API via NSS and D-Bus 2. kind of a local "DNS proxy" through its stub listener The 1st item should be started before nss-lookup.target. The 2nd item should be started before network-online.target, because if the networking works in general, then DNS (and DNS proxy) should too. Fixes #5650 2017-04-21 18:21:17 +09:00			`Wants=nss-lookup.target`
resolved: add daemon to manage resolv.conf Also remove the equivalent functionality from networkd. 2014-05-18 22:10:48 +02:00
			`[Service]`
units: make use of the new !! ExecStart= prefix in systemd-resolved.service Let's make use of !! to run resolved with ambient capabilities on systems supporting them. 2017-08-09 16:15:07 +02:00			`AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE`
unit: declare BusName= in all our units that are on the bus, event if they don't use Type=dbus This information is always useful, so let's always declare it, particular in the light of #16976. 2020-09-11 10:56:06 +02:00			`BusName=org.freedesktop.resolve1`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 17:19:48 +01:00			`CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE`
meson: use jinja2 for unit templates We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit. 2021-05-16 11:55:36 +02:00			`ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-resolved`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 17:19:48 +01:00			`LockPersonality=yes`
			`MemoryDenyWriteExecute=yes`
			`NoNewPrivileges=yes`
units: further lock down our long-running services Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS. 2016-08-26 13:23:27 +02:00			`PrivateDevices=yes`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 17:19:48 +01:00			`PrivateTmp=yes`
units: turn on ProtectProc= wherever suitable 2020-08-06 14:50:38 +02:00			`ProtectProc=invisible`
units: add ProtectClock=yes Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated. 2020-04-02 21:18:11 +03:00			`ProtectClock=yes`
units: further lock down our long-running services Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS. 2016-08-26 13:23:27 +02:00			`ProtectControlGroups=yes`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 17:19:48 +01:00			`ProtectHome=yes`
units: turn on ProtectProc= wherever suitable 2020-08-06 14:50:38 +02:00			`ProtectKernelLogs=yes`
units: turn on ProtectKernelModules= for most long-running services 2017-02-09 11:09:50 +01:00			`ProtectKernelModules=yes`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 17:19:48 +01:00			`ProtectKernelTunables=yes`
			`ProtectSystem=strict`
			`Restart=always`
			`RestartSec=0`
units: further lock down our long-running services Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS. 2016-08-26 13:23:27 +02:00			`RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 17:19:48 +01:00			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-03-20 19:52:20 +01:00			`RestrictSUIDSGID=yes`
units: make use of the new !! ExecStart= prefix in systemd-resolved.service Let's make use of !! to run resolved with ambient capabilities on systems supporting them. 2017-08-09 16:15:07 +02:00			`RuntimeDirectory=systemd/resolve`
			`RuntimeDirectoryPreserve=yes`
units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 2018-11-12 17:19:48 +01:00			`SystemCallArchitectures=native`
			`SystemCallErrorNumber=EPERM`
			`SystemCallFilter=@system-service`
			`Type=notify`
			`User=systemd-resolve`
meson: use jinja2 for unit templates We don't need two (and half) templating systems anymore, yay! I'm keeping the changes minimal, to make the diff manageable. Some enhancements due to a better templating system might be possible in the future. For handling of '## ' — see the next commit. 2021-05-16 11:55:36 +02:00			`{{SERVICE_WATCHDOG}}`
resolved: add daemon to manage resolv.conf Also remove the equivalent functionality from networkd. 2014-05-18 22:10:48 +02:00
			`[Install]`
units: start systemd-resolved in basic.target In the olden days systemd-resolved used dbus and it didn't make sense to start it before dbus which is started fairly late. But we have mostly ported resolved over to varlink. The queries from nss-resolve are done using varlink, so name resolution can work without dbus. resolvectl still uses dbus, so e.g. 'resolvectl query' will not work, but by starting systemd-resolved earlier we're not making this any worse. If systemd-resolved is started after dbus, it registers the name and everything is fine. If it is started before dbus, it'll watch for the dbus socket and connect later. So it should be fine to start systemd-resolved earlier. (If dbus is stopped and restarted, unfortunately systemd-resolved does not reconnect. This seems to be a small bug: since our daemons know how to watch for dbus.socket, they could restart the watch if they ever lose the connection. But this scenario shouldn't happen in normal boot, and restarting dbus is not supported anyway.) Moving the start earlier the following advantages: - name resolution becomes availabe earlier, in particular for synthesized hostnames even before the network is up. - basic.target is part of initrd.target, so systemd-resolved will get started in the initrd if installed. This is required for nfs-root when the server is specified using a name (https://bugzilla.redhat.com/show_bug.cgi?id=2037311). 2022-01-07 17:23:37 +01:00			`WantedBy=basic.target`
units: enable resolved bus activation though a symlink in /etc The change: -/usr/lib/systemd/system/dbus-org.freedesktop.resolve1.service +/etc/systemd/system/dbus-org.freedesktop.resolve1.service If resolved is disabled, without this, talking to the resolved bus API will activate it regardless whether it is enabled or not, let's fix that. 2017-02-16 17:48:48 +01:00			`Alias=dbus-org.freedesktop.resolve1.service`