2020-11-09 13:23:58 +09:00
# SPDX-License-Identifier: LGPL-2.1-or-later
2017-11-18 17:35:03 +01:00
#
2011-04-16 02:02:54 +02:00
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
2012-04-12 00:20:58 +02:00
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
2011-04-16 02:02:54 +02:00
# (at your option) any later version.
[Unit]
Description = Hostname Service
2020-09-29 08:03:10 +02:00
Documentation = man:systemd-hostnamed.service(8)
Documentation = man:hostname(5)
Documentation = man:machine-info(5)
2023-05-09 04:01:34 +09:00
Documentation = man:org.freedesktop.hostname1(5)
2011-04-16 02:02:54 +02:00
[Service]
2024-01-09 19:53:18 +08:00
Type = notify
2011-04-16 02:02:54 +02:00
BusName = org.freedesktop.hostname1
2016-08-26 13:23:27 +02:00
CapabilityBoundingSet = CAP_SYS_ADMIN
2023-06-12 02:15:19 +01:00
ExecStart = {{LIBEXECDIR}}/systemd-hostnamed
2018-11-12 17:19:48 +01:00
IPAddressDeny = any
LockPersonality = yes
MemoryDenyWriteExecute = yes
NoNewPrivileges = yes
2024-01-05 16:34:33 +01:00
DeviceAllow = /dev/vsock r
2014-03-19 23:08:39 +01:00
PrivateNetwork = yes
2018-11-12 17:19:48 +01:00
PrivateTmp = yes
2020-08-06 14:50:38 +02:00
ProtectProc = invisible
2016-08-26 13:23:27 +02:00
ProtectControlGroups = yes
2018-11-12 17:19:48 +01:00
ProtectHome = yes
2020-08-06 14:50:38 +02:00
ProtectKernelLogs = yes
2017-02-09 11:09:50 +01:00
ProtectKernelModules = yes
2018-11-12 17:19:48 +01:00
ProtectKernelTunables = yes
ProtectSystem = strict
hostnamed,shared/hostname-setup: expose the origin of the current hostname
In hostnamed this is exposed as a dbus property, and in the logs in both
places.
This is of interest to network management software and such: if the fallback
hostname is used, it's not as useful as the real configured thing. Right now
various programs try to guess the source of hostname by looking at the string.
E.g. "localhost" is assumed to be not the real hostname, but "fedora" is. Any
such attempts are bound to fail, because we cannot distinguish "fedora" (a
fallback value set by a distro), from "fedora" (received from reverse dns),
from "fedora" read from /etc/hostname.
/run/systemd/fallback-hostname is written with the fallback hostname when
either pid1 or hostnamed sets the kernel hostname to the fallback value. Why
remember the fallback value and not the transient hostname in /run/hostname
instead?
We have three hostname types: "static", "transient", fallback".
– Distinguishing "static" is easy: the hostname that is set matches what
is in /etc/hostname.
– Distingiushing "transient" and "fallback" is not easy. And the
"transient" hostname may be set outside of pid1+hostnamed. In particular,
it may be set by container manager, some non-systemd tool in the initramfs,
or even by a direct call. All those mechanisms count as "transient". Trying
to get those cases to write /run/hostname is futile. It is much easier to
isolate the "fallback" case which is mostly under our control.
And since the file is only used as a flag to mark the hostname as fallback,
it can be hidden inside of our /run/systemd directory.
For https://bugzilla.redhat.com/show_bug.cgi?id=1892235.
2020-12-04 19:40:34 +01:00
ReadWritePaths = /etc /run/systemd
2016-08-26 13:23:27 +02:00
RestrictAddressFamilies = AF_UNIX
2018-11-12 17:19:48 +01:00
RestrictNamespaces = yes
RestrictRealtime = yes
2019-03-20 19:52:20 +01:00
RestrictSUIDSGID = yes
2017-02-08 22:32:37 +01:00
SystemCallArchitectures = native
2018-11-12 17:19:48 +01:00
SystemCallErrorNumber = EPERM
SystemCallFilter = @system-service sethostname
2021-05-16 11:55:36 +02:00
{ { S E R V I C E _ W A T C H D O G } }