X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=units%2Fsystemd-resolved.service.in;h=b643da9a73e064a30445510a6992c77cf23fb27b;hp=f4bbb7c160bfbeb3c5ea34c9c10c12f83be0cf25;hb=40672b99c7da7efd317fc31612504fe7d5ab0b65;hpb=091a364c802e34a58f3260c9cb5db9b75c62215c

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index f4bbb7c16..b643da9a7 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -10,12 +10,20 @@ Description=Network Name Resolution
 Documentation=man:systemd-resolved.service(8)
 After=systemd-networkd.service network.service
 
+# On kdbus systems we pull in the busname explicitly, because it
+# carries policy that allows the daemon to acquire its name.
+Wants=org.freedesktop.resolve1.busname
+After=org.freedesktop.resolve1.busname
+
 [Service]
 Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
-CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+ProtectSystem=full
+ProtectHome=yes
+WatchdogSec=1min
 
 [Install]
 WantedBy=multi-user.target