417116f234
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
30 lines
880 B
SYSTEMD
30 lines
880 B
SYSTEMD
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Network Service
|
|
Documentation=man:systemd-networkd.service(8)
|
|
DefaultDependencies=no
|
|
After=dbus.service
|
|
Before=network.target
|
|
Wants=network.target
|
|
ConditionCapability=CAP_NET_ADMIN
|
|
|
|
[Service]
|
|
Type=notify
|
|
Restart=always
|
|
RestartSec=0
|
|
ExecStart=@rootlibexecdir@/systemd-networkd
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
|
ReadOnlySystem=yes
|
|
ProtectedHome=yes
|
|
WatchdogSec=1min
|
|
|
|
[Install]
|
|
Also=systemd-networkd-wait-online.service
|
|
WantedBy=multi-user.target
|