| # The "default" security profile for services, i.e. a number of useful restrictions |
| |
| [Service] |
| MountAPIVFS=yes |
| TemporaryFileSystem=/run |
| BindReadOnlyPaths=/run/systemd/notify |
| BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout |
| BindReadOnlyPaths=/etc/machine-id |
| BindReadOnlyPaths=/etc/resolv.conf |
| BindReadOnlyPaths=/run/dbus/system_bus_socket |
| DynamicUser=yes |
| RemoveIPC=yes |
| CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ |
| CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \ |
| CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \ |
| CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE |
| PrivateTmp=yes |
| PrivateDevices=yes |
| PrivateUsers=yes |
| ProtectSystem=strict |
| ProtectHome=yes |
| ProtectKernelTunables=yes |
| ProtectKernelModules=yes |
| ProtectControlGroups=yes |
| RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 |
| LockPersonality=yes |
| MemoryDenyWriteExecute=yes |
| RestrictRealtime=yes |
| RestrictNamespaces=yes |
| SystemCallFilter=@system-service |
| SystemCallErrorNumber=EPERM |
| SystemCallArchitectures=native |