1# SPDX-License-Identifier: LGPL-2.1-or-later 2# 3# This file is part of systemd. 4# 5# systemd is free software; you can redistribute it and/or modify it 6# under the terms of the GNU Lesser General Public License as published by 7# the Free Software Foundation; either version 2.1 of the License, or 8# (at your option) any later version. 9 10[Unit] 11Description=Network Name Resolution 12Documentation=man:systemd-resolved.service(8) 13Documentation=man:org.freedesktop.resolve1(5) 14Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers 15Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients 16 17DefaultDependencies=no 18After=systemd-sysusers.service 19Before=sysinit.target network.target nss-lookup.target shutdown.target 20Conflicts=shutdown.target 21Wants=nss-lookup.target 22 23[Service] 24AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE 25BusName=org.freedesktop.resolve1 26CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE 27ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-resolved 28LockPersonality=yes 29MemoryDenyWriteExecute=yes 30NoNewPrivileges=yes 31PrivateDevices=yes 32PrivateTmp=yes 33ProtectProc=invisible 34ProtectClock=yes 35ProtectControlGroups=yes 36ProtectHome=yes 37ProtectKernelLogs=yes 38ProtectKernelModules=yes 39ProtectKernelTunables=yes 40ProtectSystem=strict 41Restart=always 42RestartSec=0 43RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 44RestrictNamespaces=yes 45RestrictRealtime=yes 46RestrictSUIDSGID=yes 47RuntimeDirectory=systemd/resolve 48RuntimeDirectoryPreserve=yes 49SystemCallArchitectures=native 50SystemCallErrorNumber=EPERM 51SystemCallFilter=@system-service 52Type=notify 53User=systemd-resolve 54{{SERVICE_WATCHDOG}} 55 56[Install] 57WantedBy=sysinit.target 58Alias=dbus-org.freedesktop.resolve1.service 59