units/systemd-portabled.service.in

   1 #  SPDX-License-Identifier: LGPL-2.1-or-later
   2 #
   3 #  This file is part of systemd.
   4 #
   5 #  systemd is free software; you can redistribute it and/or modify it
   6 #  under the terms of the GNU Lesser General Public License as published by
   7 #  the Free Software Foundation; either version 2.1 of the License, or
   8 #  (at your option) any later version.
   9
  10 [Unit]
  11 Description=Portable Service Manager
  12 Documentation=man:systemd-portabled.service(8)
  13 Documentation=man:org.freedesktop.portable1(5)
  14 RequiresMountsFor=/var/lib/portables
  15
  16 [Service]
  17 ExecStart={{ROOTLIBEXECDIR}}/systemd-portabled
  18 BusName=org.freedesktop.portable1
  19 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
  20 MemoryDenyWriteExecute=yes
  21 ProtectHostname=yes
  22 ProtectKernelLogs=yes
  23 RestrictRealtime=yes
  24 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
  25 SystemCallFilter=@system-service @mount
  26 SystemCallErrorNumber=EPERM
  27 SystemCallArchitectures=native
  28 LockPersonality=yes
  29 IPAddressDeny=any
  30 {{SERVICE_WATCHDOG}}