- mkdir_label("/run/systemd/network/links", 0755);
- mkdir_label("/run/systemd/network/leases", 0755);
+ r = mkdir_safe_label("/run/systemd/netif", 0755, uid, gid);
+ if (r < 0)
+ log_error("Could not create runtime directory: %s",
+ strerror(-r));
+
+ r = mkdir_safe_label("/run/systemd/netif/links", 0755, uid, gid);
+ if (r < 0)
+ log_error("Could not create runtime directory 'links': %s",
+ strerror(-r));
+
+ r = mkdir_safe_label("/run/systemd/netif/leases", 0755, uid, gid);
+ if (r < 0)
+ log_error("Could not create runtime directory 'leases': %s",
+ strerror(-r));
+
+ r = drop_privileges(uid, gid,
+ (1ULL << CAP_NET_ADMIN) |
+ (1ULL << CAP_NET_BIND_SERVICE) |
+ (1ULL << CAP_NET_BROADCAST) |
+ (1ULL << CAP_NET_RAW));
+ if (r < 0)
+ goto out;
+
+ assert_se(sigprocmask_many(SIG_BLOCK, SIGTERM, SIGINT, -1) == 0);