1 files changed, 15 insertions, 4 deletions

diff --git a/core/modules/systemd/data/usr/lib/systemd/system/systemd-journald.service b/core/modules/systemd/data/usr/lib/systemd/system/systemd-journald.service
index 77b4bfe9..38ee6d44 100644
--- a/core/modules/systemd/data/usr/lib/systemd/system/systemd-journald.service
+++ b/core/modules/systemd/data/usr/lib/systemd/system/systemd-journald.service
@@ -10,17 +10,28 @@ Description=Journal Service
 Documentation=man:systemd-journald.service(8) man:journald.conf(5)
 DefaultDependencies=no
 Requires=systemd-journald.socket
-After=systemd-journald.socket syslog.socket
+After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket
 Before=sysinit.target
 
 [Service]
+Type=notify
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
 ExecStart=/usr/lib/systemd/systemd-journald
 Restart=always
 RestartSec=0
-NotifyAccess=all
 StandardOutput=null
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
+WatchdogSec=3min
+FileDescriptorStoreMax=1024
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
+SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
-# services being run since we keep one fd open per service.
+# services being run since we keep one fd open per service. Also, when
+# flushing journal files to disk, we might need a lot of fds when many
+# journal files are combined.
 LimitNOFILE=16384