Merge branch 'collectd-5.5'

[collectd.git] / contrib / systemd.collectd.service

diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service
index 50820bd..0e758e4 100644 (file)
--- a/contrib/systemd.collectd.service
+++ b/contrib/systemd.collectd.service
@@ -10,6 +10,15 @@ EnvironmentFile=-/etc/default/collectd
 ProtectSystem=full
 ProtectHome=true
 
+# drop all capabilities:
+CapabilityBoundingSet=
+# use this instead if you use the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW
+# turn this on if you use the iptables next to the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+
+NoNewPrivileges=true
+
 # Tell systemd it will receive a notification from collectd over it's control
 # socket once the daemon is ready. See systemd.service(5) for more details.
 Type=notify