Merge pull request #7870 from omoerbeek/stubquery-fix-arg

[thirdparty/pdns.git] / pdns / pdns.service.in

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index e9bad4f01e0b2bfcd84f00c93134f53f2e457f84..60a6e075ab7086f420a10c0ff855916e23770620 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -6,20 +6,27 @@ Wants=network-online.target
 After=network-online.target mysqld.service postgresql.service slapd.service mariadb.service
 
 [Service]
-Type=notify
 ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+Type=notify
 Restart=on-failure
 RestartSec=1
 StartLimitInterval=0
-PrivateTmp=true
-PrivateDevices=true
+
+# Sandboxing
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
-NoNewPrivileges=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 # ProtectSystem=full will disallow write access to /etc and /usr, possibly
 # not being able to write slaved-zones into sqlite3 or zonefiles.
 ProtectSystem=full
-ProtectHome=true
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
 
 [Install]
 WantedBy=multi-user.target