resolved: read DNS conf also from creds and kernel cmdline

Note that this drops ProtectProc=invisible from systemd-resolved.service. This is done because othewise access to the booted "kernel" command line is not necessarily available. That's because in containers we want to read /proc/1/cmdline for that. Fixes: #24103
author: Lennart Poettering <lennart@poettering.net> 2023-01-05 15:35:20 +0100
committer: Lennart Poettering <lennart@poettering.net> 2023-01-05 18:52:15 +0100
commit: 116687f26778c5d8f1fceb9b0ebba363a10597bc (patch)
tree: 3514cb8fb28d72896aa6b5434486e4a39b3c23de /units
parent: vconsole: permit configuration of vconsole settings via credentials (diff)
download: systemd-116687f26778c5d8f1fceb9b0ebba363a10597bc.tar.xz
systemd-116687f26778c5d8f1fceb9b0ebba363a10597bc.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 621fe34224..b4227ffd42 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -30,7 +30,6 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
-ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
@@ -51,6 +50,8 @@ SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
 Type=notify
 User=systemd-resolve
+LoadCredential=network.dns
+LoadCredential=network.search_domains
 {{SERVICE_WATCHDOG}}
 
 [Install]
author	Lennart Poettering <lennart@poettering.net>	2023-01-05 15:35:20 +0100
committer	Lennart Poettering <lennart@poettering.net>	2023-01-05 18:52:15 +0100
commit	116687f26778c5d8f1fceb9b0ebba363a10597bc (patch)
tree	3514cb8fb28d72896aa6b5434486e4a39b3c23de /units
parent	vconsole: permit configuration of vconsole settings via credentials (diff)
download	systemd-116687f26778c5d8f1fceb9b0ebba363a10597bc.tar.xz systemd-116687f26778c5d8f1fceb9b0ebba363a10597bc.zip