From 6f9148bab97170393db2005222b66d82e0477aaa Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 13 Mar 2024 10:15:23 +0900 Subject: [PATCH] unit: do not trigger automount for /boot and/or /efi ProtectSystem=full remounts /boot and/or /efi read-only, but that may trigger automount for the paths and delay the service being started. === systemd[1]: boot.automount: Got automount request for /boot, triggered by 720 ((networkd)) === The service does not need to access the paths, so let's hide them. Follow-up for f90eb086270f0aea8efcbff5a5e4c338d178cfd4. Fixes #31742. --- units/systemd-networkd.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 099e7211e6..bfbc0b193e 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -27,6 +27,7 @@ DeviceAllow=char-* rw ExecStart=!!{{LIBEXECDIR}}/systemd-networkd FileDescriptorStoreMax=512 ImportCredential=network.wireguard.* +InaccessiblePaths=-/boot -/efi LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes