]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bfd8f70)
unit/network: use ProtectSystem=strict again 31772/head
authorYu Watanabe <watanabe.yu+github@gmail.com>
Wed, 13 Mar 2024 17:28:06 +0000 (02:28 +0900)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Tue, 19 Mar 2024 06:15:32 +0000 (15:15 +0900)
Now, networkd accesses the state directory through the file descriptor
passed from systemd-networkd-persistent-storage.service.
Hence, the networkd itself does not need to access the state directory
through its path, and we can use more stronger mode for ProtectSystem=.

units/systemd-networkd.service.in patch | blob | blame | history

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index bfbc0b193e143b368d643482ab0237c86533e628..6141fdbb6d78ab2570468a9cb6ead309aa942d12 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -27,7 +27,6 @@ DeviceAllow=char-* rw
 ExecStart=!!{{LIBEXECDIR}}/systemd-networkd
 FileDescriptorStoreMax=512
 ImportCredential=network.wireguard.*
-InaccessiblePaths=-/boot -/efi
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
@@ -37,7 +36,7 @@ ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
-ProtectSystem=full
+ProtectSystem=strict
 Restart=on-failure
 RestartKillSignal=SIGUSR2
 RestartSec=0
Unnamed repository; edit this file 'description' to name the repository.