Merge pull request #12378 from rbalint/vt-kbd-reset-check

[thirdparty/systemd.git] / units / systemd-networkd.service.in

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 3f0ad77b7d2a9b0f1afcffbb1017ca08810ad237..2c74da6f1ede5774b2fdbaaa08d64bf046202a3c 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -1,3 +1,5 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it
@@ -17,25 +19,30 @@ Conflicts=shutdown.target
 Wants=network.target
 
 [Service]
-Type=notify
-Restart=on-failure
-RestartSec=0
-ExecStart=!!@rootlibexecdir@/systemd-networkd
-WatchdogSec=3min
-User=systemd-network
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
-ProtectSystem=strict
-ProtectHome=yes
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+ExecStart=!!@rootlibexecdir@/systemd-networkd
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectControlGroups=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
+ProtectSystem=strict
+Restart=on-failure
+RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
-SystemCallArchitectures=native
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+User=systemd-network
+WatchdogSec=3min
 
 [Install]
 WantedBy=multi-user.target