Permalink
Cannot retrieve contributors at this time
# The "nonetwork" security profile for services, i.e. like "default" but without networking | |
[Service] | |
MountAPIVFS=yes | |
TemporaryFileSystem=/run | |
BindReadOnlyPaths=/run/systemd/notify | |
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout | |
BindReadOnlyPaths=/etc/machine-id | |
BindReadOnlyPaths=/run/dbus/system_bus_socket | |
DynamicUser=yes | |
RemoveIPC=yes | |
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ | |
CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \ | |
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE | |
PrivateTmp=yes | |
PrivateDevices=yes | |
PrivateUsers=yes | |
ProtectSystem=strict | |
ProtectHome=yes | |
ProtectKernelTunables=yes | |
ProtectKernelModules=yes | |
ProtectControlGroups=yes | |
RestrictAddressFamilies=AF_UNIX AF_NETLINK | |
LockPersonality=yes | |
MemoryDenyWriteExecute=yes | |
RestrictRealtime=yes | |
RestrictNamespaces=yes | |
SystemCallFilter=@system-service | |
SystemCallErrorNumber=EPERM | |
SystemCallArchitectures=native | |
PrivateNetwork=yes | |
IPAddressDeny=any |