units/systemd-logind.service.in

   1 #  SPDX-License-Identifier: LGPL-2.1+
   2 #
   3 #  This file is part of systemd.
   4 #
   5 #  systemd is free software; you can redistribute it and/or modify it
   6 #  under the terms of the GNU Lesser General Public License as published by
   7 #  the Free Software Foundation; either version 2.1 of the License, or
   8 #  (at your option) any later version.
   9
  10 [Unit]
  11 Description=User Login Management
  12 Documentation=man:sd-login(3)
  13 Documentation=man:systemd-logind.service(8)
  14 Documentation=man:logind.conf(5)
  15 Documentation=man:org.freedesktop.login1(5)
  16
  17 Wants=user.slice modprobe@drm.service
  18 After=nss-user-lookup.target user.slice modprobe@drm.service
  19
  20 # Ask for the dbus socket.
  21 Wants=dbus.socket
  22 After=dbus.socket
  23
  24 [Service]
  25 BusName=org.freedesktop.login1
  26 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
  27 DeviceAllow=block-* r
  28 DeviceAllow=char-/dev/console rw
  29 DeviceAllow=char-drm rw
  30 DeviceAllow=char-input rw
  31 DeviceAllow=char-tty rw
  32 DeviceAllow=char-vcs rw
  33 ExecStart=@rootlibexecdir@/systemd-logind
  34 FileDescriptorStoreMax=512
  35 IPAddressDeny=any
  36 LockPersonality=yes
  37 MemoryDenyWriteExecute=yes
  38 NoNewPrivileges=yes
  39 PrivateTmp=yes
  40 ProtectProc=invisible
  41 ProtectClock=yes
  42 ProtectControlGroups=yes
  43 ProtectHome=yes
  44 ProtectHostname=yes
  45 ProtectKernelLogs=yes
  46 ProtectKernelModules=yes
  47 ProtectSystem=strict
  48 ReadWritePaths=/etc /run
  49 Restart=always
  50 RestartSec=0
  51 RestrictAddressFamilies=AF_UNIX AF_NETLINK
  52 RestrictNamespaces=yes
  53 RestrictRealtime=yes
  54 RestrictSUIDSGID=yes
  55 RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
  56 RuntimeDirectoryPreserve=yes
  57 StateDirectory=systemd/linger
  58 SystemCallArchitectures=native
  59 SystemCallErrorNumber=EPERM
  60 SystemCallFilter=@system-service
  61 @SERVICE_WATCHDOG@
  62
  63 # Increase the default a bit in order to allow many simultaneous logins since
  64 # we keep one fd open per session.
  65 LimitNOFILE=@HIGH_RLIMIT_NOFILE@