[Unit] Description=NetworkManager Privileged Helper # # nm-priv-helper exists for privilege separation. It allows to run # NetworkManager without certain capabilities, and ask nm-priv-helper # for special operations where more privileges are required. # # While nm-priv-helper has privileges that NetworkManager has not, it # does not mean that itself should run totally unconstrained. On the # contrary, it also should only have permissions it requires. # # nm-priv-helper rejects all requests that come from any other than the # name owner of "org.freedesktop.NetworkManager" (that is, # NetworkManager process itself). It is thus only an implementation # detail and provides no public API to the user. [Service] Type=dbus BusName=org.freedesktop.nm_priv_helper ExecStart=@libexecdir@/nm-priv-helper NotifyAccess=main # Extra configuration options. Set via `systemctl edit # nm-priv-helper.service`: # # FOR TESTING ONLY: disable authentication to allow requests from # everybody. Don't set this outside of testing! #Environment=NM_PRIV_HELPER_NO_AUTH_FOR_TESTING=1 # # The logging level for debug messages (to stdout). #Environment=NM_PRIV_HELPER_LOG=TRACE # # nm-priv-helper will exit on idle after timeout. Set timeout here or # set to 2147483647 for infinity. #Environment=NM_PRIV_HELPER_IDLE_TIMEOUT_MSEC=10000 # Restrict: AmbientCapabilities= CapabilityBoundingSet= PrivateDevices=true PrivateMounts=true PrivateNetwork=true PrivateTmp=true ProtectClock=true ProtectControlGroups=true ProtectHome=true ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=strict RestrictAddressFamilies= RestrictNamespaces=true SystemCallFilter=~@clock SystemCallFilter=~@cpu-emulation SystemCallFilter=~@debug SystemCallFilter=~@module SystemCallFilter=~@mount SystemCallFilter=~@obsolete SystemCallFilter=~@privileged SystemCallFilter=~@raw-io SystemCallFilter=~@reboot SystemCallFilter=~@swap NoNewPrivileges=true SupplementaryGroups= # Grant: CapabilityBoundingSet=CAP_DAC_OVERRIDE PrivateUsers=no RestrictAddressFamilies=AF_UNIX SystemCallFilter=@resources