From a9e7894d387bde1371f9bf2d8e30d810375c94bd Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 14 Mar 2024 02:28:06 +0900
Subject: [PATCH] unit/network: use ProtectSystem=strict again

Now, networkd accesses the state directory through the file descriptor
passed from systemd-networkd-persistent-storage.service.
Hence, the networkd itself does not need to access the state directory
through its path, and we can use more stronger mode for ProtectSystem=.
---
 units/systemd-networkd.service.in | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index bfbc0b193e1..6141fdbb6d7 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -27,7 +27,6 @@ DeviceAllow=char-* rw
 ExecStart=!!{{LIBEXECDIR}}/systemd-networkd
 FileDescriptorStoreMax=512
 ImportCredential=network.wireguard.*
-InaccessiblePaths=-/boot -/efi
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
@@ -37,7 +36,7 @@ ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
-ProtectSystem=full
+ProtectSystem=strict
 Restart=on-failure
 RestartKillSignal=SIGUSR2
 RestartSec=0