diff options
Diffstat (limited to 'units/systemd-networkd.service.in')
-rw-r--r-- | units/systemd-networkd.service.in | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 371ab3a9cf..472ef045de 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -13,34 +13,35 @@ Documentation=man:systemd-networkd.service(8) ConditionCapability=CAP_NET_ADMIN DefaultDependencies=no # systemd-udevd.service can be dropped once tuntap is moved to netlink -After=systemd-udevd.service network-pre.target systemd-sysctl.service +After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service Before=network.target multi-user.target shutdown.target Conflicts=shutdown.target Wants=network.target [Service] -Type=notify -Restart=on-failure -RestartSec=0 -ExecStart=!!@rootlibexecdir@/systemd-networkd -WatchdogSec=3min -User=systemd-network -DynamicUser=yes -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW -ProtectHome=yes +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +ExecStart=!!@rootlibexecdir@/systemd-networkd +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes ProtectControlGroups=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectSystem=strict +Restart=on-failure +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes +RestrictNamespaces=yes +RestrictRealtime=yes RuntimeDirectory=systemd/netif RuntimeDirectoryPreserve=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +Type=notify +User=systemd-network +WatchdogSec=3min [Install] WantedBy=multi-user.target |