unit/network: use ProtectSystem=strict again

Now, networkd accesses the state directory through the file descriptor passed from systemd-networkd-persistent-storage.service. Hence, the networkd itself does not need to access the state directory through its path, and we can use more stronger mode for ProtectSystem=.
2025-01-09 01:18:19 +03:00 · 2024-03-14 02:28:06 +09:00 · 2024-03-14 02:28:06 +09:00 · a9e7894d38
commit a9e7894d38
parent bfd8f70cb8
1 changed files with 1 additions and 2 deletions
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@ -27,7 +27,6 @@ DeviceAllow=char-* rw
 ExecStart=!!{{LIBEXECDIR}}/systemd-networkd
 FileDescriptorStoreMax=512
 ImportCredential=network.wireguard.*
-InaccessiblePaths=-/boot -/efi
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
@ -37,7 +36,7 @@ ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
-ProtectSystem=full
+ProtectSystem=strict
 Restart=on-failure
 RestartKillSignal=SIGUSR2
 RestartSec=0