X-Git-Url: https://git.verplant.org/?a=blobdiff_plain;f=contrib%2Fsystemd.collectd.service;h=0e758e40ef85a9fb6aba1c921da5a0f27c89a41d;hb=48aea1cec5828800671bce25c70548d241a05fd6;hp=ba922d6ec778b50f8dca3848abca50136dd183ab;hpb=47116ea041bf801ad6ab8a26fae14a3b1b0ba317;p=collectd.git

diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service
index ba922d6e..0e758e40 100644
--- a/contrib/systemd.collectd.service
+++ b/contrib/systemd.collectd.service
@@ -7,6 +7,17 @@ Requires=local-fs.target network.target
 ExecStart=/usr/sbin/collectd
 EnvironmentFile=-/etc/sysconfig/collectd
 EnvironmentFile=-/etc/default/collectd
+ProtectSystem=full
+ProtectHome=true
+
+# drop all capabilities:
+CapabilityBoundingSet=
+# use this instead if you use the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW
+# turn this on if you use the iptables next to the dns or ping plugin
+#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+
+NoNewPrivileges=true
 
 # Tell systemd it will receive a notification from collectd over it's control
 # socket once the daemon is ready. See systemd.service(5) for more details.
@@ -14,7 +25,6 @@ Type=notify
 
 # Restart the collectd daemon after a 10 seconds delay, in case it crashes.
 Restart=on-failure
-RestartSec=10
 
 [Install]
 WantedBy=multi-user.target