X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=units%2Fsystemd-hostnamed.service.in;h=9c925e80d9fe57bb1acb0bc3c0d2d4a4e0e6ab33;hb=9a43fc6a2ad9e88719c4496fbeebf18cfb65cbb2;hp=993134f3d666f40bdbe17c5a472f0119f4559e46;hpb=3219f05c1d55fa8264cbf136a63e1e10d080cb90;p=thirdparty%2Fsystemd.git

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 993134f3d66..9c925e80d9f 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -13,24 +13,26 @@ Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info(
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_ADMIN
-PrivateTmp=yes
+ExecStart=@rootlibexecdir@/systemd-hostnamed
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-LockPersonality=yes
-IPAddressDeny=any
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service sethostname
+WatchdogSec=3min