Gitiles
Code Review Sign In
gerrit.named-data.net / ndncert / 3e4818421a606c46614e25e66296c6e1a0761a75 / . / systemd / ndncert-ca.service.in
blob: 97c81d8fec2879b4077a6ba1e35407e5f4ff46bb [file] [log] [blame]
Zhiyi Zhang79ee9442020-10-17 15:35:56 -0700[diff] [blame]1[Unit]
2Description=Certificate Management Identity Management Service for NDN
Tianyuan Yu13aac732022-03-03 20:59:54 -0800[diff] [blame]3BindsTo=nfd.service
4After=nfd.service
Zhiyi Zhang79ee9442020-10-17 15:35:56 -0700[diff] [blame]5
6[Service]
Zhiyi Zhangd6fa6f42020-10-17 16:17:26 -0700[diff] [blame]7Environment=HOME=%S/ndncert-ca
Zhiyi Zhangaa60c962021-01-22 10:57:41 -0800[diff] [blame]8ExecStart=@BINDIR@/ndncert-ca-server
Zhiyi Zhang79ee9442020-10-17 15:35:56 -0700[diff] [blame]9Restart=on-failure
10RestartPreventExitStatus=2
11User=ndn
12
Tianyuan Yu13aac732022-03-03 20:59:54 -0800[diff] [blame]13CapabilityBoundingSet=
14LockPersonality=yes
15MemoryDenyWriteExecute=yes
16NoNewPrivileges=yes
17PrivateDevices=yes
18PrivateTmp=yes
19PrivateUsers=yes
20ProtectControlGroups=yes
21ProtectHome=yes
22ProtectKernelModules=yes
23ProtectKernelTunables=yes
24# systemd older than v232 doesn't support a value of "strict" for ProtectSystem,
25# so it will ignore that line and use ProtectSystem=full; with newer systemd,
26# the latter assignment is recognized and takes precedence, resulting in an
27# effective setting of ProtectSystem=strict
28ProtectSystem=full
29ProtectSystem=strict
30RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
31RestrictNamespaces=yes
32RestrictRealtime=yes
33StateDirectory=ndncert-ca
34SystemCallArchitectures=native
35SystemCallErrorNumber=EPERM
36SystemCallFilter=~@aio @chown @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
37
38# Dependency
Zhiyi Zhang79ee9442020-10-17 15:35:56 -0700[diff] [blame]39[Install]
40WantedBy=multi-user.target
Tianyuan Yu13aac732022-03-03 20:59:54 -0800[diff] [blame]41WantedBy=nfd.service