X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=units%2Fsystemd-journald.service.in;h=0cb1bfa3ca7296ab0bb1d696d4a774a65330cc7f;hb=39cf0351c529584aa8f270e3b418d7ab9461b622;hp=089bc38f5971260c3564f254a96fd3ca8007eda9;hpb=6c431a16c32c9f4576e358978d838903390cd0cb;p=thirdparty%2Fsystemd.git

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 089bc38f597..0cb1bfa3ca7 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -16,7 +16,6 @@ After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-a
 Before=sysinit.target
 
 [Service]
-OOMScoreAdjust=-250
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
 DeviceAllow=char-* rw
 ExecStart=@rootlibexecdir@/systemd-journald
@@ -25,19 +24,23 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+OOMScoreAdjust=-250
+ProtectClock=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
+RuntimeDirectory=systemd/journal
+RuntimeDirectoryPreserve=yes
 Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
 StandardOutput=null
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
 Type=notify
-WatchdogSec=3min
+@SERVICE_WATCHDOG@
 
 # If there are many split up journal files we need a lot of fds to access them
 # all in parallel.