[thirdparty/systemd.git] / units / systemd-resolved.service.in

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Network Name Resolution
Documentation=man:systemd-resolved.service(8)
Documentation=man:org.freedesktop.resolve1(5)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

DefaultDependencies=no
After=systemd-sysctl.service systemd-sysusers.service
Before=sysinit.target network.target nss-lookup.target shutdown.target initrd-switch-root.target
Conflicts=shutdown.target initrd-switch-root.target
Wants=nss-lookup.target

[Service]
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
BusName=org.freedesktop.resolve1
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=!!{{LIBEXECDIR}}/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/resolve
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify-reload
User=systemd-resolve
ImportCredential=network.dns
ImportCredential=network.search_domains
{{SERVICE_WATCHDOG}}

[Install]
WantedBy=sysinit.target
Alias=dbus-org.freedesktop.resolve1.service
Commit	Line	Data
db9ecf05	1	# SPDX-License-Identifier: LGPL-2.1-or-later
a7df2d1e	2	#
ee9b9875 TG	3	# This file is part of systemd.
	4	#
	5	# systemd is free software; you can redistribute it and/or modify it
	6	# under the terms of the GNU Lesser General Public License as published by
	7	# the Free Software Foundation; either version 2.1 of the License, or
	8	# (at your option) any later version.
ee9b9875	9
091a364c TG	10	[Unit]
	11	Description=Network Name Resolution
	12	Documentation=man:systemd-resolved.service(8)
21006e0e	13	Documentation=man:org.freedesktop.resolve1(5)
16a5d412 DR	14	Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
16a5d412 DR	15	Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
21006e0e	16
1f158013	17	DefaultDependencies=no
6e6b59ed	18	After=systemd-sysctl.service systemd-sysusers.service
75efd16f DDM	19	Before=sysinit.target network.target nss-lookup.target shutdown.target initrd-switch-root.target
75efd16f DDM	20	Conflicts=shutdown.target initrd-switch-root.target
3e060555	21	Wants=nss-lookup.target
091a364c TG	22
091a364c TG	23	[Service]
635f3df5	24	AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
e67b818c	25	BusName=org.freedesktop.resolve1
3ca9940c	26	CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
b0d3095f	27	ExecStart=!!{{LIBEXECDIR}}/systemd-resolved
3ca9940c LP	28	LockPersonality=yes
	29	MemoryDenyWriteExecute=yes
	30	NoNewPrivileges=yes
0c28d51a	31	PrivateDevices=yes
3ca9940c	32	PrivateTmp=yes
cabc1c6d	33	ProtectClock=yes
0c28d51a	34	ProtectControlGroups=yes
3ca9940c	35	ProtectHome=yes
24da96a1	36	ProtectKernelLogs=yes
b6c7278c	37	ProtectKernelModules=yes
3ca9940c LP	38	ProtectKernelTunables=yes
	39	ProtectSystem=strict
	40	Restart=always
	41	RestartSec=0
0c28d51a	42	RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
3ca9940c LP	43	RestrictNamespaces=yes
3ca9940c LP	44	RestrictRealtime=yes
62aa2924	45	RestrictSUIDSGID=yes
635f3df5 LP	46	RuntimeDirectory=systemd/resolve
635f3df5 LP	47	RuntimeDirectoryPreserve=yes
3ca9940c LP	48	SystemCallArchitectures=native
	49	SystemCallErrorNumber=EPERM
	50	SystemCallFilter=@system-service
14a52176	51	Type=notify-reload
3ca9940c	52	User=systemd-resolve
1ab6ae19 DDM	53	ImportCredential=network.dns
1ab6ae19 DDM	54	ImportCredential=network.search_domains
059cc610	55	{{SERVICE_WATCHDOG}}
091a364c TG	56
091a364c TG	57	[Install]
29a8fbf4	58	WantedBy=sysinit.target
4d1f490c	59	Alias=dbus-org.freedesktop.resolve1.service