Merge pull request #11922 from poettering/hostname-protect-fix

be a bit more conservative with enabling ProtectHostname= for everything

man/systemd.exec.xml

@@ -1135,9 +1135,13 @@ BindReadOnlyPaths=/var/lib/systemd</programlisting>
         <listitem><para>Takes a boolean argument. When set, sets up a new UTS namespace for the executed
         processes. In addition, changing hostname or domainname is prevented. Defaults to off.</para>
 
-        <para>Note that the implementation of this setting might be impossible (for example if UTS namespaces are not
-        available), and the unit should be written in a way that does not solely rely on this setting for
-        security.</para></listitem>
+        <para>Note that the implementation of this setting might be impossible (for example if UTS namespaces
+        are not available), and the unit should be written in a way that does not solely rely on this setting
+        for security.</para>
+
+        <para>Note that when this option is enabled for a service hostname changes no longer propagate from
+        the system into the service, it is hence not suitable for services that need to take notice of system
+        hostname changes dynamically.</para></listitem>
       </varlistentry>
 
       <varlistentry>

units/systemd-journald.service.in

@@ -23,7 +23,6 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
-ProtectHostname=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK

units/systemd-networkd.service.in

@@ -27,7 +27,6 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 ProtectControlGroups=yes
 ProtectHome=yes
-ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectSystem=strict
 Restart=on-failure

units/systemd-resolved.service.in

@@ -30,7 +30,6 @@ PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
-ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict