X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=units%2Fsystemd-hostnamed.service.in;h=9c925e80d9fe57bb1acb0bc3c0d2d4a4e0e6ab33;hb=9a43fc6a2ad9e88719c4496fbeebf18cfb65cbb2;hp=b7079e4a7c04dbcfe177baba90e1e2783c3c448c;hpb=64204b9545ff41b4f78814703ffb1f12a562378d;p=thirdparty%2Fsystemd.git

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index b7079e4a7c0..9c925e80d9f 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -1,3 +1,5 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it
@@ -8,15 +10,29 @@
 [Unit]
 Description=Hostname Service
 Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info(5)
-Documentation=http://www.freedesktop.org/wiki/Software/systemd/hostnamed
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
 CapabilityBoundingSet=CAP_SYS_ADMIN
-WatchdogSec=3min
-PrivateTmp=yes
+ExecStart=@rootlibexecdir@/systemd-hostnamed
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
 ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service sethostname
+WatchdogSec=3min