X-Git-Url: https://git.verplant.org/?a=blobdiff_plain;ds=sidebyside;f=contrib%2Fsystemd.collectd.service;h=0e758e40ef85a9fb6aba1c921da5a0f27c89a41d;hb=4d6ff066b1c60a8e6654e4c74370ef951f37b5f3;hp=50820bd7389f7bc31742cbe64c8a3295a5c8c65e;hpb=71bc7b2a9bf47879ce1824d295465de29ca9b152;p=collectd.git

diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service
index 50820bd7..0e758e40 100644
--- a/contrib/systemd.collectd.service
+++ b/contrib/systemd.collectd.service
@@ -10,6 +10,15 @@ EnvironmentFile=-/etc/default/collectd
 ProtectSystem=full
 ProtectHome=true
 
+# drop all capabilities:
+CapabilityBoundingSet=
+# use this instead if you use the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW
+# turn this on if you use the iptables next to the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+
+NoNewPrivileges=true
+
 # Tell systemd it will receive a notification from collectd over it's control
 # socket once the daemon is ready. See systemd.service(5) for more details.
 Type=notify