X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=units%2Fsystemd-resolved.service.in;h=e06868494b08cab69c6e70a386a3b04a16048047;hb=2df959ec3b5128dfe4d9b996dc13b16a8f4c4233;hp=f4bbb7c160bfbeb3c5ea34c9c10c12f83be0cf25;hpb=091a364c802e34a58f3260c9cb5db9b75c62215c;p=elogind.git

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index f4bbb7c16..e06868494 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -10,12 +10,19 @@ Description=Network Name Resolution
 Documentation=man:systemd-resolved.service(8)
 After=systemd-networkd.service network.service
 
+# On kdbus systems we pull in the busname explicitly, because it
+# carries policy that allows the daemon to acquire its name.
+Wants=org.freedesktop.resolve1.busname
+After=org.freedesktop.resolve1.busname
+
 [Service]
 Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
-CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+ProtectSystem=full
+ProtectHome=yes
 
 [Install]
 WantedBy=multi-user.target