summaryrefslogtreecommitdiff
path: root/src/grp-journal/grp-remote/systemd-journal-remote/systemd-journal-remote.service.in
diff options
context:
space:
mode:
Diffstat (limited to 'src/grp-journal/grp-remote/systemd-journal-remote/systemd-journal-remote.service.in')
-rw-r--r--src/grp-journal/grp-remote/systemd-journal-remote/systemd-journal-remote.service.in13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/grp-journal/grp-remote/systemd-journal-remote/systemd-journal-remote.service.in b/src/grp-journal/grp-remote/systemd-journal-remote/systemd-journal-remote.service.in
index fdf3da4b64..753dd6c158 100644
--- a/src/grp-journal/grp-remote/systemd-journal-remote/systemd-journal-remote.service.in
+++ b/src/grp-journal/grp-remote/systemd-journal-remote/systemd-journal-remote.service.in
@@ -11,15 +11,20 @@ Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5)
Requires=systemd-journal-remote.socket
[Service]
-ExecStart=@rootlibexecdir@/systemd-journal-remote \
- --listen-https=-3 \
- --output=/var/log/journal/remote/
+ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/
User=systemd-journal-remote
Group=systemd-journal-remote
+WatchdogSec=3min
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
-WatchdogSec=3min
+ProtectSystem=full
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
[Install]
Also=systemd-journal-remote.socket