data/fwupd.service.in - external/github.com/fwupd/fwupd - Git at Google

 [Unit]
 Description=Firmware update daemon
 Documentation=https://fwupd.org/
 Wants=modprobe@sd_mod.service
 After=modprobe@sd_mod.service dbus.service
 Before=display-manager.service
 ConditionVirtualization=!container

 [Service]
 Type=dbus
 TimeoutSec=180
 RuntimeDirectory=@motd_dir@
 RuntimeDirectoryPreserve=yes
 BusName=org.freedesktop.fwupd
 ExecStart=@libexecdir@/fwupd/fwupd
 KeyringMode=private
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=no
 PrivateDevices=no
 PrivateTmp=true
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=full
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 Environment="GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK"
 RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET AF_INET6
 @dynamic_options@
	[Unit]
	Description=Firmware update daemon
	Documentation=https://fwupd.org/
	Wants=modprobe@sd_mod.service
	After=modprobe@sd_mod.service dbus.service
	Before=display-manager.service
	ConditionVirtualization=!container

	[Service]
	Type=dbus
	TimeoutSec=180
	RuntimeDirectory=@motd_dir@
	RuntimeDirectoryPreserve=yes
	BusName=org.freedesktop.fwupd
	ExecStart=@libexecdir@/fwupd/fwupd
	KeyringMode=private
	LockPersonality=yes
	MemoryDenyWriteExecute=yes
	NoNewPrivileges=no
	PrivateDevices=no
	PrivateTmp=true
	ProtectClock=yes
	ProtectControlGroups=yes
	ProtectHome=yes
	ProtectHostname=yes
	ProtectKernelLogs=yes
	ProtectKernelModules=yes
	ProtectKernelTunables=yes
	ProtectProc=invisible
	ProtectSystem=full
	RestrictNamespaces=yes
	RestrictRealtime=yes
	RestrictSUIDSGID=yes
	SystemCallArchitectures=native
	Environment="GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK"
	RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET AF_INET6
	@dynamic_options@