From 116687f26778c5d8f1fceb9b0ebba363a10597bc Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 5 Jan 2023 15:35:20 +0100
Subject: resolved: read DNS conf also from creds and kernel cmdline

Note that this drops ProtectProc=invisible from
systemd-resolved.service.

This is done because othewise access to the booted "kernel" command line is not
necessarily available. That's because in containers we want to read
/proc/1/cmdline for that.

Fixes: #24103
---
 units/systemd-resolved.service.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'units')

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 621fe34224..b4227ffd42 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -30,7 +30,6 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
-ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
@@ -51,6 +50,8 @@ SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
 Type=notify
 User=systemd-resolve
+LoadCredential=network.dns
+LoadCredential=network.search_domains
 {{SERVICE_WATCHDOG}}
 
 [Install]
-- 
cgit v1.2.1