From: Lennart Poettering Date: Tue, 18 Dec 2018 13:07:23 +0000 (+0100) Subject: units: sort [Service] sections alphabetically X-Git-Tag: v240~22^2~3 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=52ef7bbbe653aaecffdf49b54af148993f4db46b;p=platform%2Fupstream%2Fsystemd.git units: sort [Service] sections alphabetically --- diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 215696e..74dcf7f 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -18,24 +18,24 @@ Before=shutdown.target [Service] ExecStart=-@rootlibexecdir@/systemd-coredump +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes Nice=9 OOMScoreAdjust=500 -RuntimeMaxSec=5min -PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any +RestrictNamespaces=yes +RestrictRealtime=yes +RuntimeMaxSec=5min StateDirectory=systemd/coredump +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index da74b4f..696d4e2 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -13,25 +13,25 @@ Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info( Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed [Service] -ExecStart=@rootlibexecdir@/systemd-hostnamed BusName=org.freedesktop.hostname1 -WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_ADMIN -PrivateTmp=yes +ExecStart=@rootlibexecdir@/systemd-hostnamed +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service sethostname -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -ReadWritePaths=/etc +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service sethostname +WatchdogSec=3min diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index 2b4b957..f48d673 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -13,6 +13,6 @@ Documentation=man:systemd-initctl.service(8) DefaultDependencies=no [Service] -NotifyAccess=all ExecStart=@rootlibexecdir@/systemd-initctl +NotifyAccess=all SystemCallArchitectures=native diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index a51d59d..5ef4ee0 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -13,22 +13,22 @@ Documentation=man:systemd-journal-gatewayd(8) Requires=systemd-journal-gatewayd.socket [Service] -ExecStart=@rootlibexecdir@/systemd-journal-gatewayd -User=systemd-journal-gateway -SupplementaryGroups=systemd-journal DynamicUser=yes +ExecStart=@rootlibexecdir@/systemd-journal-gatewayd +LockPersonality=yes +MemoryDenyWriteExecute=yes PrivateDevices=yes PrivateNetwork=yes -ProtectHome=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SupplementaryGroups=systemd-journal SystemCallArchitectures=native -LockPersonality=yes +User=systemd-journal-gateway # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index fa8682c..ec1311d 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -14,23 +14,23 @@ Requires=systemd-journal-remote.socket [Service] ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/ -User=systemd-journal-remote -WatchdogSec=3min -PrivateTmp=yes +LockPersonality=yes +LogsDirectory=journal/remote +MemoryDenyWriteExecute=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -LogsDirectory=journal/remote +User=systemd-journal-remote +WatchdogSec=3min # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 1ded990..a15744e 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -14,23 +14,23 @@ Wants=network-online.target After=network-online.target [Service] -ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state -User=systemd-journal-upload DynamicUser=yes -SupplementaryGroups=systemd-journal -WatchdogSec=3min +ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state +LockPersonality=yes +MemoryDenyWriteExecute=yes PrivateDevices=yes -ProtectHome=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -SystemCallArchitectures=native -LockPersonality=yes +RestrictNamespaces=yes +RestrictRealtime=yes StateDirectory=systemd/journal-upload +SupplementaryGroups=systemd-journal +SystemCallArchitectures=native +User=systemd-journal-upload +WatchdogSec=3min # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 41cac8c..7b659d4 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -16,24 +16,24 @@ After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-a Before=sysinit.target [Service] -Type=notify -Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE ExecStart=@rootlibexecdir@/systemd-journald -Restart=always -RestartSec=0 -StandardOutput=null -WatchdogSec=3min FileDescriptorStoreMax=4224 -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE +IPAddressDeny=any +LockPersonality=yes MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes +Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket +StandardOutput=null SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +Type=notify +WatchdogSec=3min # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index a24e61a0c..7d40fb4 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -13,25 +13,25 @@ Documentation=man:systemd-localed.service(8) man:locale.conf(5) man:vconsole.con Documentation=https://www.freedesktop.org/wiki/Software/systemd/localed [Service] -ExecStart=@rootlibexecdir@/systemd-localed BusName=org.freedesktop.locale1 -WatchdogSec=3min CapabilityBoundingSet= -PrivateTmp=yes +ExecStart=@rootlibexecdir@/systemd-localed +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -ReadWritePaths=/etc +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +WatchdogSec=3min diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 961263f..6b362cc 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -20,22 +20,22 @@ Wants=dbus.socket After=dbus.socket [Service] -ExecStart=@rootlibexecdir@/systemd-logind -Restart=always -RestartSec=0 BusName=org.freedesktop.login1 -WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG +ExecStart=@rootlibexecdir@/systemd-logind +FileDescriptorStoreMax=512 +IPAddressDeny=any +LockPersonality=yes MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -FileDescriptorStoreMax=512 +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +WatchdogSec=3min # Increase the default a bit in order to allow many simultaneous logins since # we keep one fd open per session. diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 1200a90..d90e71a 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -16,18 +16,18 @@ After=machine.slice RequiresMountsFor=/var/lib/machines [Service] -ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 -WatchdogSec=3min CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD +ExecStart=@rootlibexecdir@/systemd-machined +IPAddressDeny=any +LockPersonality=yes MemoryDenyWriteExecute=yes -RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=@system-service @mount -SystemCallErrorNumber=EPERM +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service @mount +WatchdogSec=3min # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 65d3e2a..f23bf22 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -19,28 +19,28 @@ Conflicts=shutdown.target Wants=network.target [Service] -Type=notify -Restart=on-failure -RestartSec=0 -ExecStart=!!@rootlibexecdir@/systemd-networkd -WatchdogSec=3min -User=systemd-network -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW -ProtectSystem=strict -ProtectHome=yes +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +ExecStart=!!@rootlibexecdir@/systemd-networkd +LockPersonality=yes +MemoryDenyWriteExecute=yes ProtectControlGroups=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectSystem=strict +Restart=on-failure +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes +RestrictNamespaces=yes +RestrictRealtime=yes RuntimeDirectory=systemd/netif RuntimeDirectoryPreserve=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +Type=notify +User=systemd-network +WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index ef5398c..d08842f 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -20,31 +20,31 @@ Conflicts=shutdown.target Wants=nss-lookup.target [Service] -Type=notify -Restart=always -RestartSec=0 -ExecStart=!!@rootlibexecdir@/systemd-resolved -WatchdogSec=3min -User=systemd-resolve -CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE -PrivateTmp=yes +CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE +ExecStart=!!@rootlibexecdir@/systemd-resolved +LockPersonality=yes +MemoryDenyWriteExecute=yes PrivateDevices=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes +RestrictNamespaces=yes +RestrictRealtime=yes RuntimeDirectory=systemd/resolve RuntimeDirectoryPreserve=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +Type=notify +User=systemd-resolve +WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index 4b68f0b..7447ed5 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -17,7 +17,7 @@ After=sys-devices-virtual-misc-rfkill.device systemd-remount-fs.service Before=shutdown.target [Service] -Type=notify ExecStart=@rootlibexecdir@/systemd-rfkill -TimeoutSec=30s StateDirectory=systemd/rfkill +TimeoutSec=30s +Type=notify diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 906bb43..1105f1a 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -13,23 +13,23 @@ Documentation=man:systemd-timedated.service(8) man:localtime(5) Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated [Service] -ExecStart=@rootlibexecdir@/systemd-timedated BusName=org.freedesktop.timedate1 -WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_TIME +ExecStart=@rootlibexecdir@/systemd-timedated +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes PrivateTmp=yes -ProtectSystem=strict -ProtectHome=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service @clock -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -ReadWritePaths=/etc +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service @clock +WatchdogSec=3min diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 12f918d..8b99e92 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -19,31 +19,31 @@ Conflicts=shutdown.target Wants=time-sync.target [Service] -Type=notify -Restart=always -RestartSec=0 -ExecStart=!!@rootlibexecdir@/systemd-timesyncd -WatchdogSec=3min -User=systemd-timesync -CapabilityBoundingSet=CAP_SYS_TIME AmbientCapabilities=CAP_SYS_TIME -PrivateTmp=yes +CapabilityBoundingSet=CAP_SYS_TIME +ExecStart=!!@rootlibexecdir@/systemd-timesyncd +LockPersonality=yes +MemoryDenyWriteExecute=yes PrivateDevices=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes RuntimeDirectory=systemd/timesync -SystemCallFilter=@system-service @clock -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes StateDirectory=systemd/timesync +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service @clock +Type=notify +User=systemd-timesync +WatchdogSec=3min [Install] WantedBy=sysinit.target