]> git.ipfire.org Git - thirdparty/systemd.git/blobdiff - units/systemd-resolved.service.m4.in
projects / thirdparty / systemd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
units: switch on ProtectSystem=strict for our long running services
[thirdparty/systemd.git] / units / systemd-resolved.service.m4.in
diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index dcacbdaeab200e2bc838d4746bb3338335b7072a..dfd2f4ad0aaf81d6fb13303ee58ddc7765242dc9 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -27,7 +27,7 @@ WatchdogSec=3min
 CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE
 PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/run/systemd
 
 [Install]
 WantedBy=multi-user.target
Unnamed repository; edit this file 'description' to name the repository.