Permalink
Cannot retrieve contributors at this time
| # The "nonetwork" security profile for services, i.e. like "default" but without networking | |
| [Service] | |
| MountAPIVFS=yes | |
| TemporaryFileSystem=/run | |
| BindReadOnlyPaths=/run/systemd/notify | |
| BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout | |
| BindReadOnlyPaths=/etc/machine-id | |
| BindReadOnlyPaths=/run/dbus/system_bus_socket | |
| DynamicUser=yes | |
| RemoveIPC=yes | |
| CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ | |
| CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \ | |
| CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE | |
| PrivateTmp=yes | |
| PrivateDevices=yes | |
| PrivateUsers=yes | |
| ProtectSystem=strict | |
| ProtectHome=yes | |
| ProtectKernelTunables=yes | |
| ProtectKernelModules=yes | |
| ProtectControlGroups=yes | |
| RestrictAddressFamilies=AF_UNIX AF_NETLINK | |
| LockPersonality=yes | |
| MemoryDenyWriteExecute=yes | |
| RestrictRealtime=yes | |
| RestrictNamespaces=yes | |
| SystemCallFilter=@system-service | |
| SystemCallErrorNumber=EPERM | |
| SystemCallArchitectures=native | |
| PrivateNetwork=yes | |
| IPAddressDeny=any |