2017-11-18 19:35:03 +03:00
# SPDX-License-Identifier: LGPL-2.1+
#
2013-10-17 05:18:36 +04:00
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description = Network Service
Documentation = man:systemd-networkd.service(8)
2014-06-17 04:18:33 +04:00
ConditionCapability = CAP_NET_ADMIN
2013-10-17 05:18:36 +04:00
DefaultDependencies = no
2016-11-22 10:41:51 +03:00
# systemd-udevd.service can be dropped once tuntap is moved to netlink
Revert "network: set DynamicUser= to systemd-networkd.service"
This reverts commit d4e9e574ea0b5d23598a317e68399584d229568b.
(systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.)
Together those reverts should "fix" #10025 and #10011. ("fix" is in quotes
because this doesn't really fix the underlying issue, which is combining
DynamicUser= with strict container sandbox, but it avoids the problem by not
using that feature in our default installation.)
Dynamic users don't work well if the service requires matching configuration in
other places, for example dbus policy. This is true for those three services.
In effect, distros create the user statically [1, 2]. Dynamic users make more
sense for "add-on" services where not creating the user, or more precisely,
creating the user lazily, can save resources. For "basic" services, if we are
going to create the user on package installation anyway, setting DynamicUser=
just creates unneeded confusion. The only case where it is actually used is
when somebody forgets to do system configuration. But it's better to have the
service fail cleanly in this case too. If we want to turn on some side-effect
of DynamicUser=yes for those services, we should just do that directly through
fine-grained options. By not using DynamicUser= we also avoid the need to
restart dbus.
[1] https://salsa.debian.org/systemd-team/systemd/commit/bd9bf307274faca24699c0c2d67cb86f18c0b2cb
[2] https://src.fedoraproject.org/rpms/systemd/blob/48ac1cebdedb055d9daf3dfe28c7bde80103f7a1/f/systemd.spec#_473
(Fedora does not create systemd-timesync user.)
2018-09-19 11:06:09 +03:00
After = systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
2014-06-17 04:18:33 +04:00
Before = network.target multi-user.target shutdown.target
Conflicts = shutdown.target
2013-10-17 05:18:36 +04:00
Wants = network.target
[Service]
2017-08-26 19:40:47 +03:00
AmbientCapabilities = CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
2018-11-12 19:19:48 +03:00
CapabilityBoundingSet = CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
2019-05-01 15:28:36 +03:00
DeviceAllow = char-* rw
2018-11-12 19:19:48 +03:00
ExecStart = !!@rootlibexecdir@/systemd-networkd
LockPersonality = yes
MemoryDenyWriteExecute = yes
NoNewPrivileges = yes
2016-08-26 14:23:27 +03:00
ProtectControlGroups = yes
2018-11-12 19:19:48 +03:00
ProtectHome = yes
2017-02-09 13:09:50 +03:00
ProtectKernelModules = yes
2018-11-12 19:19:48 +03:00
ProtectSystem = strict
Restart = on-failure
RestartSec = 0
2016-08-26 14:23:27 +03:00
RestrictAddressFamilies = AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
2018-11-12 19:19:48 +03:00
RestrictNamespaces = yes
RestrictRealtime = yes
2019-03-20 21:52:20 +03:00
RestrictSUIDSGID = yes
2017-08-26 19:40:47 +03:00
RuntimeDirectory = systemd/netif
RuntimeDirectoryPreserve = yes
2018-11-12 19:19:48 +03:00
SystemCallArchitectures = native
SystemCallErrorNumber = EPERM
SystemCallFilter = @system-service
Type = notify
User = systemd-network
WatchdogSec = 3min
2014-02-21 07:38:17 +04:00
[Install]
WantedBy = multi-user.target
2015-02-02 00:13:26 +03:00
Also = systemd-networkd.socket
2017-04-10 18:59:58 +03:00
Alias = dbus-org.freedesktop.network1.service
2017-03-27 13:55:55 +03:00
# We want to enable systemd-networkd-wait-online.service whenever this service
# is enabled. systemd-networkd-wait-online.service has
# WantedBy=network-online.target, so enabling it only has an effect if
# network-online.target itself is enabled or pulled in by some other unit.
Also = systemd-networkd-wait-online.service