1 files changed, 18 insertions, 17 deletions

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 371ab3a9cf..472ef045de 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -13,34 +13,35 @@ Documentation=man:systemd-networkd.service(8)
 ConditionCapability=CAP_NET_ADMIN
 DefaultDependencies=no
 # systemd-udevd.service can be dropped once tuntap is moved to netlink
-After=systemd-udevd.service network-pre.target systemd-sysctl.service
+After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
 Before=network.target multi-user.target shutdown.target
 Conflicts=shutdown.target
 Wants=network.target
 
 [Service]
-Type=notify
-Restart=on-failure
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-networkd
-WatchdogSec=3min
-User=systemd-network
-DynamicUser=yes
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
-ProtectHome=yes
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+ExecStart=!!@rootlibexecdir@/systemd-networkd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectControlGroups=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectSystem=strict
+Restart=on-failure
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
-SystemCallFilter=@system-service
-SystemCallErrorNumber=EPERM
-SystemCallArchitectures=native
-LockPersonality=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+User=systemd-network
+WatchdogSec=3min
 
 [Install]
 WantedBy=multi-user.target