projects / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| a032b68d | 1 | # SPDX-License-Identifier: LGPL-2.1-or-later |
| 52ad194e | 2 | # |
| 4c89c718 MP |
3 | # This file is part of systemd. |
| 4 | # | |
| 5 | # systemd is free software; you can redistribute it and/or modify it | |
| 6 | # under the terms of the GNU Lesser General Public License as published by | |
| 7 | # the Free Software Foundation; either version 2.1 of the License, or | |
| 8 | # (at your option) any later version. | |
| 9 | ||
| 10 | [Unit] | |
| 11 | Description=Process Core Dump | |
| 12 | Documentation=man:systemd-coredump(8) | |
| 13 | DefaultDependencies=no | |
| 4c89c718 | 14 | Conflicts=shutdown.target |
| a10f5d05 | 15 | After=systemd-journald.socket |
| 4c89c718 MP |
16 | Requires=systemd-journald.socket |
| 17 | Before=shutdown.target | |
| 18 | ||
| 19 | [Service] | |
| 8b3d4ff0 | 20 | ExecStart=-{{ROOTLIBEXECDIR}}/systemd-coredump |
| 6e866b33 MB |
21 | IPAddressDeny=any |
| 22 | LockPersonality=yes | |
| 23 | MemoryDenyWriteExecute=yes | |
| 4c89c718 | 24 | Nice=9 |
| 6e866b33 | 25 | NoNewPrivileges=yes |
| 4c89c718 | 26 | OOMScoreAdjust=500 |
| 81c58355 MB |
27 | PrivateDevices=yes |
| 28 | PrivateNetwork=yes | |
| 6e866b33 | 29 | PrivateTmp=yes |
| 81c58355 | 30 | ProtectControlGroups=yes |
| 6e866b33 | 31 | ProtectHome=yes |
| bb4f798a | 32 | ProtectHostname=yes |
| 81c58355 | 33 | ProtectKernelModules=yes |
| 6e866b33 | 34 | ProtectKernelTunables=yes |
| e1f67bc7 | 35 | ProtectKernelLogs=yes |
| 6e866b33 | 36 | ProtectSystem=strict |
| 81c58355 | 37 | RestrictAddressFamilies=AF_UNIX |
| 6e866b33 MB |
38 | RestrictNamespaces=yes |
| 39 | RestrictRealtime=yes | |
| bb4f798a | 40 | RestrictSUIDSGID=yes |
| 6e866b33 | 41 | RuntimeMaxSec=5min |
| f5e65279 | 42 | StateDirectory=systemd/coredump |
| 6e866b33 MB |
43 | SystemCallArchitectures=native |
| 44 | SystemCallErrorNumber=EPERM | |
| 45 | SystemCallFilter=@system-service |