network.target does not guarantee interfaces are fully configured, which
can result in bound addresses not being available when the daemon
starts. This leads to errors on start-up and potentially broken
connectivity.
network-online.target does provide these guarantees, but needs a
slightly different dependency configuration with Wants= on top of After=
(cf. systemd.special(7)).
Closes#2720.
ProtectSystem mounts /boot, /efi and /usr as read only, basically
disallowing the daemon from ever writing there. PrivateTmp sets up a
file system namespace for /tmp and /var/tmp/ basically hiding it from
other processes.
Co-authored-by: Charles Kerr <charles@charleskerr.com>
Attempts to create memory mappings that are writable and executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory segments as executable are prohibited.
There's no reason transmission should be doing that. If it does, it's because of malicious code exploiting a vulnerability.
See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=
Robin Seth Ekman