Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| # The "nonetwork" security profile for services, i.e. like "default" but without networking | |
| [Service] | |
| MountAPIVFS=yes | |
| TemporaryFileSystem=/run | |
| BindReadOnlyPaths=/run/systemd/notify | |
| BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout | |
| BindReadOnlyPaths=/etc/machine-id | |
| BindReadOnlyPaths=/run/dbus/system_bus_socket | |
| DynamicUser=yes | |
| RemoveIPC=yes | |
| CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ | |
| CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \ | |
| CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE | |
| PrivateTmp=yes | |
| PrivateDevices=yes | |
| PrivateUsers=yes | |
| ProtectSystem=strict | |
| ProtectHome=yes | |
| ProtectKernelTunables=yes | |
| ProtectKernelModules=yes | |
| ProtectControlGroups=yes | |
| RestrictAddressFamilies=AF_UNIX AF_NETLINK | |
| LockPersonality=yes | |
| MemoryDenyWriteExecute=yes | |
| RestrictRealtime=yes | |
| RestrictNamespaces=yes | |
| SystemCallFilter=@system-service | |
| SystemCallErrorNumber=EPERM | |
| SystemCallArchitectures=native | |
| PrivateNetwork=yes | |
| IPAddressDeny=any |