X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=units%2Fsystemd-bus-proxyd%40.service.in;fp=units%2Fsystemd-bus-proxyd%40.service.in;h=3dc2cd9e65d2d1b76482c3e783b4c97f5a974d0f;hp=fafd4ce033fd93fce7c0df1f35ed781b512c3037;hb=6a010ac9e5aa585637b4b79df92f8ca5537faf71;hpb=72543b361d653520b5bc3344bf4653385b61541e

diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in
index fafd4ce03..3dc2cd9e6 100644
--- a/units/systemd-bus-proxyd@.service.in
+++ b/units/systemd-bus-proxyd@.service.in
@@ -12,9 +12,11 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 # The first argument will be replaced by the service by information on
 # the process requesting the proxy, we need a placeholder to keep the
 # space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
-CapabilityBoundingSet=CAP_IPC_OWNER
+CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
+ReadOnlySystem=yes
+ProtectedHome=yes