| # The "strict" security profile for services, all options turned on |
| |
| [Service] |
| MountAPIVFS=yes |
| TemporaryFileSystem=/run |
| BindReadOnlyPaths=/run/systemd/notify |
| BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout |
| BindReadOnlyPaths=/etc/machine-id |
| DynamicUser=yes |
| RemoveIPC=yes |
| CapabilityBoundingSet= |
| PrivateTmp=yes |
| PrivateDevices=yes |
| PrivateUsers=yes |
| ProtectSystem=strict |
| ProtectHome=yes |
| ProtectKernelTunables=yes |
| ProtectKernelModules=yes |
| ProtectControlGroups=yes |
| RestrictAddressFamilies=AF_UNIX |
| LockPersonality=yes |
| NoNewPrivileges=yes |
| MemoryDenyWriteExecute=yes |
| RestrictRealtime=yes |
| RestrictNamespaces=yes |
| SystemCallFilter=@system-service |
| SystemCallErrorNumber=EPERM |
| SystemCallArchitectures=native |
| PrivateNetwork=yes |
| IPAddressDeny=any |
| TasksMax=4 |