units: make use of !! ExecStart= prefix in systemd-networkd.service

Let's make use of !! to run networkd with ambient capabilities on
systems supporting them.

1 files changed, 6 insertions, 3 deletions

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 218e5c4d3f..3f0ad77b7d 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -20,9 +20,11 @@ Wants=network.target
 Type=notify
 Restart=on-failure
 RestartSec=0
-ExecStart=@rootlibexecdir@/systemd-networkd
+ExecStart=!!@rootlibexecdir@/systemd-networkd
 WatchdogSec=3min
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+User=systemd-network
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
@@ -32,7 +34,8 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
-ReadWritePaths=/run/systemd
+RuntimeDirectory=systemd/netif
+RuntimeDirectoryPreserve=yes
 
 [Install]
 WantedBy=multi-user.target