6f659e5075
… but leave the "trusted" profile unmodified, it shall have full access to all system calls, as before.
32 lines
775 B
Plaintext
32 lines
775 B
Plaintext
# The "strict" security profile for services, all options turned on
|
|
|
|
[Service]
|
|
MountAPIVFS=yes
|
|
TemporaryFileSystem=/run
|
|
BindReadOnlyPaths=/run/systemd/notify
|
|
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
|
|
BindReadOnlyPaths=/etc/machine-id
|
|
DynamicUser=yes
|
|
RemoveIPC=yes
|
|
CapabilityBoundingSet=
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
PrivateUsers=yes
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
RestrictAddressFamilies=AF_UNIX
|
|
LockPersonality=yes
|
|
NoNewPrivileges=yes
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictRealtime=yes
|
|
RestrictNamespaces=yes
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallArchitectures=native
|
|
PrivateNetwork=yes
|
|
IPAddressDeny=any
|
|
TasksMax=4
|