X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=units%2Fsystemd-hostnamed.service.in;h=9c925e80d9fe57bb1acb0bc3c0d2d4a4e0e6ab33;hb=9a43fc6a2ad9e88719c4496fbeebf18cfb65cbb2;hp=d29e9ff81be325c849bbebddecdb02b6d5dec99c;hpb=939ae460cda30381487ad62262b71d0917468d59;p=thirdparty%2Fsystemd.git

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index d29e9ff81be..9c925e80d9f 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -1,3 +1,5 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it
@@ -11,22 +13,26 @@ Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info(
 Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
-WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_ADMIN
-PrivateTmp=yes
+ExecStart=@rootlibexecdir@/systemd-hostnamed
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=strict
-ProtectHome=yes
+PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectKernelTunables=yes
+ProtectHome=yes
 ProtectKernelModules=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictNamespaces=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+RestrictNamespaces=yes
+RestrictRealtime=yes
 SystemCallArchitectures=native
-ReadWritePaths=/etc
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service sethostname
+WatchdogSec=3min