ProtectHostname= turns off hostname change propagation from host to
service. This means for services that care about the hostname and need
to be able to notice changes to it it's not suitable (though it is
useful for most other cases still).
Let's turn it off hence for journald (which logs the current hostname)
for networkd (which optionally sends the current hostname to dhcp
servers) and resolved (which announces the current hostname via
llmnr/mdns).
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectSystem=strict
Restart=on-failure
ProtectKernelModules=yes
ProtectSystem=strict
Restart=on-failure
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict