PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
+ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX
MemoryDenyWriteExecute=yes
PrivateDevices=yes
PrivateNetwork=yes
+ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
+ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
PrivateDevices=yes
+ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
+ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX
DeviceAllow=char-input rw
DeviceAllow=char-tty rw
DeviceAllow=char-vcs rw
-# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
ExecStart=@rootlibexecdir@/systemd-logind
FileDescriptorStoreMax=512
IPAddressDeny=any
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
+ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
-ProtectKernelModules=yes
ProtectKernelLogs=yes
+ProtectKernelModules=yes
ProtectSystem=strict
ReadWritePaths=/etc /run
Restart=always
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
+ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
-ProtectKernelModules=yes
ProtectKernelLogs=yes
+ProtectKernelModules=yes
ProtectSystem=strict
Restart=on-failure
+RestartKillSignal=SIGUSR2
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG
RestrictNamespaces=yes
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify
-RestartKillSignal=SIGUSR2
User=systemd-network
@SERVICE_WATCHDOG@
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
+ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
ProtectSystem=strict
Restart=always
RestartSec=0
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
+ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
+ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
-ProtectKernelLogs=yes
ProtectSystem=strict
Restart=always
RestartSec=0
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
+ProtectProc=invisible
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
projects / thirdparty / systemd.git / commitdiff
