Merge pull request #7870 from omoerbeek/stubquery-fix-arg

[thirdparty/pdns.git] / pdns / pdns.service.in

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index a1ff509bc5b81204d1a4639c4398181c71968696..60a6e075ab7086f420a10c0ff855916e23770620 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -3,22 +3,30 @@ Description=PowerDNS Authoritative Server
 Documentation=man:pdns_server(1) man:pdns_control(1)
 Documentation=https://doc.powerdns.com
 Wants=network-online.target
-After=network-online.target mysqld.service postgresql.service slapd.service
+After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service
 
 [Service]
+ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
 Type=notify
-ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --write-pid=no
 Restart=on-failure
+RestartSec=1
 StartLimitInterval=0
-PrivateTmp=true
-PrivateDevices=true
+
+# Sandboxing
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
-NoNewPrivileges=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 # ProtectSystem=full will disallow write access to /etc and /usr, possibly
 # not being able to write slaved-zones into sqlite3 or zonefiles.
 ProtectSystem=full
-ProtectHome=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 
 [Install]
 WantedBy=multi-user.target