importd: run daemon at minimal capabilities

[elogind.git] / units / systemd-importd.service.in

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index b9cb97e6b96fee3910772ed1cfb25b10afa21a58..26759ea0fb47ba970f1fbb5aeeee516ea7098e93 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -12,8 +12,9 @@ Documentation=man:systemd-importd.service(8)
 [Service]
 ExecStart=@rootlibexecdir@/systemd-importd
 BusName=org.freedesktop.import1
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
+NoNewPrivileges=yes
 WatchdogSec=1min
 PrivateTmp=yes
-PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes