commit 13aac73b4eded9efe2e2e2bf77153893e2ad0467
author Tianyuan Yu <tianyuan@cs.ucla.edu> Thu Mar 03 20:59:54 2022 -0800
committer Tianyuan Yu <tianyuan@cs.ucla.edu> Sat Mar 05 14:21:26 2022 -0800
tree 0406f2809256b94bfe45ecc342a16ffb12206871
parent fae76c4dc736b0252e4503ef76c8738afce1d571

Prepare for testbed deployment: name assignment and redirection policy

Change-Id: I7f4da10b763f3891d33820e9c6f4c7cb0eea60ce

systemd/ndncert-ca.service.in

diff --git a/systemd/ndncert-ca.service.in b/systemd/ndncert-ca.service.in
index 94ac006..97c81d8 100644
--- a/systemd/ndncert-ca.service.in
+++ b/systemd/ndncert-ca.service.in
@@ -1,14 +1,41 @@
 [Unit]
 Description=Certificate Management Identity Management Service for NDN
+BindsTo=nfd.service
+After=nfd.service
 
 [Service]
 Environment=HOME=%S/ndncert-ca
 ExecStart=@BINDIR@/ndncert-ca-server
 Restart=on-failure
 RestartPreventExitStatus=2
-RestartSec=5
 User=ndn
 
+CapabilityBoundingSet=
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
+# so it will ignore that line and use ProtectSystem=full; with newer systemd,
+# the latter assignment is recognized and takes precedence, resulting in an
+# effective setting of ProtectSystem=strict
+ProtectSystem=full
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
+RestrictNamespaces=yes
+RestrictRealtime=yes
+StateDirectory=ndncert-ca
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
+
+# Dependency
 [Install]
 WantedBy=multi-user.target
-Alias=ndncert.service
\ No newline at end of file
+WantedBy=nfd.service
\ No newline at end of file