Control: reopen -1 Control: retitle -1 improve the ppp systemd unit The unit that you added to 2.5.1-1+1~exp1 is very simplistic. I have been using these units for many years and I recommend that you start with something like it.
The sandboxing is limited enough that it should not cause any issues when random programs are executed by the up/down scripts. I do not think that "Before=network.target" is useful, or even correct. ppp@.service: [Unit] Description=PPPoE connection for %I Documentation=man:pppd(8) [Service] Type=notify ExecStart=/usr/sbin/pppd plugin rp-pppoe.so %I call %I linkname %I up_sdnotify ExecStop=/bin/kill $MAINPID SuccessExitStatus=5 12 13 14 Restart=on-failure Nice=-5 StandardOutput=null PrivateTmp=yes ProtectHome=yes ProtectSystem=strict RuntimeDirectory=pppd ProtectClock=yes ProtectControlGroups=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service [Install] WantedBy=multi-user.target pppoe@.service: [Unit] Description=PPPoE connection for %I Documentation=man:pppd(8) BindsTo=sys-subsystem-net-devices-%i.device After=sys-subsystem-net-devices-%i.device [Service] Type=notify ExecStart=/usr/sbin/pppd plugin rp-pppoe.so %I call %I linkname %I up_sdnotify ExecStop=/bin/kill $MAINPID SuccessExitStatus=5 12 13 14 Restart=on-failure Nice=-5 StandardOutput=null PrivateTmp=yes ProtectHome=yes ProtectSystem=strict RuntimeDirectory=pppd ProtectClock=yes ProtectControlGroups=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service [Install] WantedBy=sys-subsystem-net-devices-%i.device -- ciao, Marco
signature.asc
Description: PGP signature
