[Service]
ExecStart=-@rootlibexecdir@/systemd-coredump
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
Nice=9
-NoNewPrivileges=yes
OOMScoreAdjust=500
+RuntimeMaxSec=5min
+PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
-PrivateTmp=yes
-ProtectControlGroups=yes
+ProtectSystem=strict
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-ProtectSystem=strict
-RestrictAddressFamilies=AF_UNIX
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
-RuntimeMaxSec=5min
-StateDirectory=systemd/coredump
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
+StateDirectory=systemd/coredump
Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed
[Service]
+ExecStart=@rootlibexecdir@/systemd-hostnamed
BusName=org.freedesktop.hostname1
+WatchdogSec=3min
CapabilityBoundingSet=CAP_SYS_ADMIN
-ExecStart=@rootlibexecdir@/systemd-hostnamed
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
+PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
-PrivateTmp=yes
-ProtectControlGroups=yes
+ProtectSystem=strict
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-ProtectSystem=strict
-ReadWritePaths=/etc
-RestrictAddressFamilies=AF_UNIX
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service sethostname
-WatchdogSec=3min
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
+ReadWritePaths=/etc
DefaultDependencies=no
[Service]
-ExecStart=@rootlibexecdir@/systemd-initctl
-NoNewPrivileges=yes
NotifyAccess=all
+ExecStart=@rootlibexecdir@/systemd-initctl
SystemCallArchitectures=native
Requires=systemd-journal-gatewayd.socket
[Service]
-DynamicUser=yes
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
+User=systemd-journal-gateway
+SupplementaryGroups=systemd-journal
+DynamicUser=yes
PrivateDevices=yes
PrivateNetwork=yes
-ProtectControlGroups=yes
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
-SupplementaryGroups=systemd-journal
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
-User=systemd-journal-gateway
+LockPersonality=yes
# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
[Service]
ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/
-LockPersonality=yes
-LogsDirectory=journal/remote
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
+User=systemd-journal-remote
+WatchdogSec=3min
+PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
-PrivateTmp=yes
-ProtectControlGroups=yes
+ProtectSystem=strict
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-ProtectSystem=strict
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
-User=systemd-journal-remote
-WatchdogSec=3min
+LockPersonality=yes
+LogsDirectory=journal/remote
# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
After=network-online.target
[Service]
-DynamicUser=yes
ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
+User=systemd-journal-upload
+DynamicUser=yes
+SupplementaryGroups=systemd-journal
+WatchdogSec=3min
PrivateDevices=yes
-ProtectControlGroups=yes
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
-StateDirectory=systemd/journal-upload
-SupplementaryGroups=systemd-journal
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
-User=systemd-journal-upload
-WatchdogSec=3min
+LockPersonality=yes
+StateDirectory=systemd/journal-upload
# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
Before=sysinit.target
[Service]
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+Type=notify
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
ExecStart=@rootlibexecdir@/systemd-journald
-FileDescriptorStoreMax=4224
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
Restart=always
RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_NETLINK
-RestrictNamespaces=yes
-RestrictRealtime=yes
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
StandardOutput=null
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
-SystemCallFilter=@system-service
-Type=notify
WatchdogSec=3min
+FileDescriptorStoreMax=4224
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
# If there are many split up journal files we need a lot of fds to access them
# all in parallel.
Documentation=https://www.freedesktop.org/wiki/Software/systemd/localed
[Service]
+ExecStart=@rootlibexecdir@/systemd-localed
BusName=org.freedesktop.locale1
+WatchdogSec=3min
CapabilityBoundingSet=
-ExecStart=@rootlibexecdir@/systemd-localed
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
+PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
-PrivateTmp=yes
-ProtectControlGroups=yes
+ProtectSystem=strict
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-ProtectSystem=strict
-ReadWritePaths=/etc
-RestrictAddressFamilies=AF_UNIX
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service
-WatchdogSec=3min
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
+ReadWritePaths=/etc
After=dbus.socket
[Service]
-BusName=org.freedesktop.login1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
ExecStart=@rootlibexecdir@/systemd-logind
-FileDescriptorStoreMax=512
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
Restart=always
RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_NETLINK
-RestrictNamespaces=yes
+BusName=org.freedesktop.login1
+WatchdogSec=3min
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
SystemCallFilter=@system-service
-WatchdogSec=3min
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
+FileDescriptorStoreMax=512
# Increase the default a bit in order to allow many simultaneous logins since
# we keep one fd open per session.
RequiresMountsFor=/var/lib/machines
[Service]
+ExecStart=@rootlibexecdir@/systemd-machined
BusName=org.freedesktop.machine1
+WatchdogSec=3min
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
-ExecStart=@rootlibexecdir@/systemd-machined
-IPAddressDeny=any
-LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service @mount
-WatchdogSec=3min
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
# Note that machined cannot be placed in a mount namespace, since it
# needs access to the host's mount namespace in order to implement the
Wants=network.target
[Service]
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+Type=notify
+Restart=on-failure
+RestartSec=0
ExecStart=!!@rootlibexecdir@/systemd-networkd
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-ProtectControlGroups=yes
+WatchdogSec=3min
+User=systemd-network
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+ProtectSystem=strict
ProtectHome=yes
+ProtectControlGroups=yes
ProtectKernelModules=yes
-ProtectSystem=strict
-Restart=on-failure
-RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
-RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
RuntimeDirectory=systemd/netif
RuntimeDirectoryPreserve=yes
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
-SystemCallFilter=@system-service
-Type=notify
-User=systemd-network
-WatchdogSec=3min
[Install]
WantedBy=multi-user.target
Wants=nss-lookup.target
[Service]
-AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+Type=notify
+Restart=always
+RestartSec=0
ExecStart=!!@rootlibexecdir@/systemd-resolved
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-PrivateDevices=yes
+WatchdogSec=3min
+User=systemd-resolve
+CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
PrivateTmp=yes
-ProtectControlGroups=yes
+PrivateDevices=yes
+ProtectSystem=strict
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-ProtectSystem=strict
-Restart=always
-RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
RuntimeDirectory=systemd/resolve
RuntimeDirectoryPreserve=yes
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
-SystemCallFilter=@system-service
-Type=notify
-User=systemd-resolve
-WatchdogSec=3min
[Install]
WantedBy=multi-user.target
Before=shutdown.target
[Service]
+Type=notify
ExecStart=@rootlibexecdir@/systemd-rfkill
-NoNewPrivileges=yes
-StateDirectory=systemd/rfkill
TimeoutSec=30s
-Type=notify
+StateDirectory=systemd/rfkill
Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated
[Service]
+ExecStart=@rootlibexecdir@/systemd-timedated
BusName=org.freedesktop.timedate1
+WatchdogSec=3min
CapabilityBoundingSet=CAP_SYS_TIME
-ExecStart=@rootlibexecdir@/systemd-timedated
-IPAddressDeny=any
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
-ProtectControlGroups=yes
+ProtectSystem=strict
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-ProtectSystem=strict
-ReadWritePaths=/etc
-RestrictAddressFamilies=AF_UNIX
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service @clock
-WatchdogSec=3min
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+IPAddressDeny=any
+ReadWritePaths=/etc
Wants=time-sync.target
[Service]
-AmbientCapabilities=CAP_SYS_TIME
-CapabilityBoundingSet=CAP_SYS_TIME
+Type=notify
+Restart=always
+RestartSec=0
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-PrivateDevices=yes
+WatchdogSec=3min
+User=systemd-timesync
+CapabilityBoundingSet=CAP_SYS_TIME
+AmbientCapabilities=CAP_SYS_TIME
PrivateTmp=yes
-ProtectControlGroups=yes
+PrivateDevices=yes
+ProtectSystem=strict
ProtectHome=yes
-ProtectKernelModules=yes
+ProtectControlGroups=yes
ProtectKernelTunables=yes
-ProtectSystem=strict
-Restart=always
-RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RuntimeDirectory=systemd/timesync
-StateDirectory=systemd/timesync
-SystemCallArchitectures=native
-SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service @clock
-Type=notify
-User=systemd-timesync
-WatchdogSec=3min
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+StateDirectory=systemd/timesync
[Install]
WantedBy=sysinit.target